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Need TO Know 




Satya’s Microsoft: 
Devices and Services 

A fter six months of speculation and rumors, Microsoft finally 
announced in February that it had selected Satya Nadella 
as its next CEO, replacing Steve Ballmer. But who is Satya 
Nadella, and are there any clues—in his decades of experience at the 
software giant or otherwise—to suggest whether he’ll toe the line 
on “devices and services” or plot a new path for the world’s largest 
maker of software? 

A cursory examination of Mr. Nadella’s resume shows that he hails 
from Hyderabad, India, has serious education credentials—including 
an engineering bachelor’s degree, a master’s in computer science, and 
a second master’s degree in business administration—and worked at 
Sun Microsystems before joining Microsoft in 1992. But this early 
experience will almost certainly have less impact on his leadership 
tendencies than will his two decades at Microsoft. 

During this time, Nadella experienced firsthand both the firm’s epic 
crest of the Windows 95 wave and the subsequent falls to antitrust 
rulings and faster-moving competitors in new markets. That’s impor¬ 
tant because the new Microsoft—the reimagined Microsoft, if you 
will—is seeking to establish itself anew in a computing world that’s 
driven by highly mobile devices on the client side and online services 
on the back end, the modern equivalents to the PC and server com¬ 
puting products that Microsoft previously rode to fame and fortune. 

Also important are Nadella’s experiences with an amazingly wide 
swath of Microsoft during his 22 years at the company. Starting off 
as a program manager in Windows Developer Relations, Nadella 
then moved on to the firm’s interactive TV (ITV) and digital rights 
management (DRM) efforts and later joined the Commerce Platforms 
Group as general manager, where he led the development of Microsoft 
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Commerce Server and BizTalk Server. He was senior vice president of 
research and development for the Online Services Division (Search, 
MSN, and Advertising), then vice president of the Microsoft Business 
Division (Office). 

Where Nadella really found his footing, however, was with the 
Server business. He became president of Server & Tools in early 2011 
and pushed the business to move from its on-premises roots to cloud 
services. This culminated in the release of the so-called Cloud OS, 
which wasn’t an actual product per se, but rather an ad hoc collection 
of on-premises and cloud-based solutions that corporate customers 
could combine as needed to create their own cloud infrastructures, 
be they private, public, or some combination. With Microsoft’s tran¬ 
sition to devices and services, Nadella moved into a new executive 
vice president role of the Server & Tool division’s successor, called the 
Cloud & Enterprise Group. 

What we can gather from this experience is straightforward: Nadella 
isn’t just a believer in devices and services; he’s responsible for one 
of Microsoft’s most obvious internal success stories with regard to 
making this transition. And it’s highly likely he will use that success 
as a guide to help the rest of Microsoft successfully navigate this 
change as well. 

As the highest-profile internal candidate for CEO, Nadella was a 
highly requested interview subject throughout the latter part of last 
year. And while we might take his comments about Microsoft’s future 
direction with a grain of salt—certainly, a top-level Microsoft execu¬ 
tive would profess nothing but loyalty to the firm’s stated mission 
and strategy—he did certainly have a lot of interesting things to say. 

Cloud computing is here to stay, for starters. “I think everyone’s 
going to be in the cloud,” Nadella told Gigaom last October. “[But] no 
one’s going to be exclusively on one public cloud; that’s the dichot¬ 
omy. You may have a private cloud and a public cloud.” 

Nadella believes in consumer-driven IT and the Bring Your Own 
Device (BYOD) trends, too, and was an early proponent of the 
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Windows Intune cloud-based device management service. “Our goal 
is . . . making it easy for end users to use their devices that they have 
to be able to access corporate information and for corporations to 
be able to have controls that allow them to give per device and user 
access,” he said. “That’s the future that we build for, not the old 
model of IT procures and provisions but the model where end users 
procure and IT governs. That’s the model that I see.” 

And he’s driven the former server parts of Microsoft to deliver for 
the cloud first, then figure out which parts can later be delivered 
to those that still require on-premises solutions. “Microsoft has no 
SQL Server developers,” Nadella told Forbes, somewhat provoca¬ 
tively. “We have only Azure developers. But every 12 to 18 months 
we reverse-engineer [the code] into a product we can sell.” 

But Microsoft’s transition from enterprise servers to online services 
is straightforward. Less successful is its transition to devices. 

In recent years, Microsoft has made a credible stab at the PC mar¬ 
ket with its new Surface business, but sales are relatively modest. The 
firm is about to complete a massive acquisition of Nokia’s handset 
business, and althought Microsoft has made steady progress with its 
Lumia lineup of Windows Phone handsets, it didn’t grow fast enough 
to keep Nokia solvent as a standalone business. And Microsoft is also 
buying Nokia’s non-Windows Phone handsets, including the Asha 
line of feature phones and the Nokia-branded entry-level phones. 

It’s not clear how or even if Microsoft can use these products to 
upsell customers to Windows Phone. And it’s not clear whether these 
businesses will be more successful under Microsoft’s control than 
they were under Nokia’s. 

While an implicit part of the “devices” aspect of Microsoft’s new 
direction relates to third-party devices—that is, Microsoft software 
and services running on top of Apple iPads, Android devices, and 
the like—Nadella believes that the firm must also make a Windows 
push in handsets and tablets. “I think we will be a player [in these 
markets],” he has said. 
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Of course, the biggest question mark with Nadella is his understand¬ 
ing of the consumer side of the business. While he’s paid lip service 
to Steve Ballmer’s contention that consumer and business go hand 
in hand—you don’t just have a consumer email service or a business 
email service, for example, you have both—Nadella has also spent the 
past several years thinking solely about the enterprise side of things. 
“I live and breathe . . . the enterprise,” he said last year. 

“On the enterprise side, we’re playing offense,” he said in one of 
his more telling comments about the gulf between Microsoft’s enter¬ 
prise and consumer offerings; the insinuation here—correct, I think— 
is that Microsoft is in effect playing defense on consumer. But in a 
pragmatic sense, it’s fair to say that a radically different product such 
as Windows 8, which aims for both the traditional PC desktop and 
new tablet and hybrid PC designs, is a bit of a tough sell to Micro¬ 
soft’s customer base. It’s perhaps not fair to expect such a thing to 
achieve “desktop PC scale” quickly, Nadella has said. 

Given all this, many have questioned whether Microsoft should focus 
solely on its enterprise efforts—which represent about two thirds of the 
company’s revenues—and abandon money-losing efforts such as Bing 
and Xbox. I happen to believe this is a prudent course for Microsoft to 
take, but Nadella’s experiences suggest the firm will do otherwise. 

The “devices and services” mantra is devices and services, not 
devices or services. Bing is a big bet in consumer services, one that 
can be accessible from a variety of mobile devices. And Xbox is a 
big bet on the living room, an area where no firm—not Apple, not 
Google—has gotten much of a foothold. A victory there would pro¬ 
vide Microsoft with a second front, after the PC, from which to take 
on the Android and iOS consumer devices hegemony. 

So, no, Nadella doesn’t have a lot of consumer experience, espe¬ 
cially not recently. But Steve Ballmer didn’t have a technical or engi¬ 
neering background, and he ran Microsoft for 14 years. 

What Nadella has done, up front, is present himself as a forward¬ 
leaning freethinker who has already achieved great success with a 
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part of the company, a success he now wants to bring to the rest of 
Microsoft. In short, his introductory communications with Microsoft 
and the outside world were brilliantly crafted, something we don’t 
typically associate with this firm. 

“Our industry does not respect tradition, it only respects innova¬ 
tion,” Nadella said in a prepared statement at the time of his CEO 
announcement. “The opportunity ahead for Microsoft is vast, but to 
seize it, we must move faster, focus, and continue to transform. I see 
a big part of my job as accelerating our ability to bring innovative 
products to our customers more quickly.” 

He’s also worked to restore the word “software” to a conversation 
that had veered perhaps a bit too far toward devices and services for 
some customers. As I wrote recently in “Getting Past Devices and 
Services,” Nadella repeatedly used the word software in his formal 
introduction to employees. It’s a word Microsoft officials haven’t used 
much since announcing the devices and services shift. 

“This is a software-powered world,” Nadella wrote in his open letter 
to employees. “Microsoft uniquely empowers people to ‘do more.’ . . . 
This is the core of who we are, and driving this core value in all that we 
do, be it the cloud or device experiences, is why we are here.” 

Microsoft’s devices and services strategy is controversial in some 
circles, but it represents an important understanding of how the 
world the firm does business within is changing and will do so with 
or without it. But at a high level, this strategy has generally alienated 
certain customer types in the same way that a radical product such as 
Windows 8 has more specifically alienated certain customers as well. 

Ultimately, both suffer from the same issue, a perception that Micro¬ 
soft is changing things too much for some customers. The industry 
might not respect Microsoft’s past, but Microsoft should, even as it 
moves forward with new innovations. 

Microsoft’s continued on-premises offerings and the hybrid deploy¬ 
ment solutions that combine on-prem and cloud-based infrastruc¬ 
ture in useful ways are both unique—something that Microsoft’s 
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competitors cannot offer—and respectful of the needs of Microsoft’s 
installed base. 

But when Microsoft releases a product such as Windows 8, or 
speaks about revolutionizing its business into devices and services, 
many see those changes as disrespectful of the past. So each can 
be changed—Windows 8, at a low level, with specific changes that 
address customer concerns, and at a higher level, Microsoft’s devices 
and services strategy, at least how the firm talks about it, with an 
explicit acknowledgment that software plays a key role in each— 
without actually veering from the original vision of either. 

These are the sorts of changes I expect to see under Mr. Nadella, not 
a broad strategy change—a continuation of the strategy that started 
under Mr. Ballmer and will come to fruition, in part, under the watch¬ 
ful gaze of Microsoft’s first CEO, Bill Gates, who is now serving as 
special advisor to Satya Nadella. The broad strokes are all in place. 
Now it’s just about the execution. ■ 
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A More Flexible Active 
Directory One-Liner 

Assemble and apply DisplayNames 

L ast month, in “Going Further with ForEach,” I showed you how 
to recast any Active Directory (AD) one-liner into a mildly more 
complex form based on the pipeline variable $_ and PowerShelFs 
ForEach command to enable more flexibility. This month, ITl show 
you a less trivial ForEach example and assemble it in “slow motion” 
to help clarify how you can build your own one-liners. 

I started this discussion about ForEach-based one-liners by offering 
this simple but non-trivial task: Assuming your AD accounts contain 
a givenname (the AD attribute for “first name”) and sn (“last name”), 
you can clean up your DisplayName values by simply concatenating 
each account’s givenname with a space and then its sn, resulting in a 
pretty good set of DisplayNames. 

A side note: Before you ask me why Microsoft used givenname 
for “first name” but shortened “surname” to sn, let me say that it 
wasn’t Microsoft’s fault. The company based AD’s schema on the 
X.500 schema. X.500 was intended to be a template for any com¬ 
munications service that required usernames and passwords, and 
the work on its structure and attribute names began back in 1984. 
When you realize that another of X.500’s standard user attributes 
was FavoriteBeverage, it’s easy to guess that, well, maybe givenname 
was defined before a lunch break that included favorite beverages, 
and that sn was defined later in the afternoon. I should also men¬ 
tion that the AD team at Microsoft took pity on us and added a “syn¬ 
thetic” extra attribute called surname that only PowerShell knows. 
The surname attribute is really just an alias for sn —much more 
aesthetic, I think you’ll agree. 
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As always, it’s easiest to design this one-liner from a high level 
down by determining the “filter” (which accounts to modify) and the 
“hammer” (what to do to them). In this sample filter, you want to 
perform this action on all AD accounts, so the filter is easy: 

get-aduser -filter * -properties * 

Next, you’ll want to modify the DisplayName attributes of those 
accounts. The generic cmdlet for tweaking an AD user’s attribute is 
Set-ADUser. Now, assembling its syntax will be a little more complex 
than for Get-ADUser, so let’s start by reviewing a simple example of 
Set-ADUser. To set a user with the samaccountname “john” to a Dis¬ 
playName of “John Smith,” the syntax would look like 

set-aduser john -displayname "John Smith" 

Next, let’s assemble the entire one-liner along the lines laid out last 
month: 

get-aduser -filter * -properties * | foreach {do something 
that uses $_} 

Your next job is to take that static Set-ADUser example above, along 
with the pipeline variable $_, and see if you can write whatever goes 
into {do something that uses $_}. I do this by recasting that Set- 
ADUser example to make it more generic, but in English: 

set-aduser [logon name of the current user in the pipeline] 
-displayname (user's givenname, concatenated to a space, 
concatenated to the sn of the user in the pipeline) 

I put the parentheses around the last part for two reasons. First, it’s 
a nice way of clarifying what you need to figure out syntax-wise and. 
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second, putting them in the final one-liner will make it a bit more 
readable to someone trying to figure out six months from now what 
this does and how it does it. (Trust me, more often than not, that 
someone will be you.) 

Recall that concatenate in PowerShell is just the plus sign, and of 
course a space is just a blank character surrounded by quotes. So, 
that simplifies my Set-ADUser command to 

set-aduser [logon name of the current user in the pipeline] 
-displayname (user's givenname + " " + user's sn) 

The final part of converting this into PowerShelTese is to describe 
the user’s logon name, givenname, and sn, which are all attributes of 
the current object in the pipeline, $_. The Set-ADUser command then 
looks like 

set-aduser $_.samaccountname -displayname ($_.givenname + " " 

+ $_.sn) 

Even better, messing with Set-ADUser shows that it doesn’t need 
to be directed to the samaccountname attribute, because it’s smart 
enough to get past the whole object and function properly. Put that 
Set-ADUser command into the scriptblock for ForEach, and you get 

get-aduser -filter * -properties * | foreach { set-aduser 
$_ -displayname ($_.givenname + " " + $_.sn)} 

It’s not quite as clear as the simple non-ForEach one-liners you’ve 
built so far, but it gets a lot done. If it were only a little easier to read, 
right? Join me next month, and I’ll clarify things a bit. ■ 
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Top 10 New Features in 
SQL Server 2014 

The new In-Memory OLTP is at the top 
of the list 
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icrosoft introduced some significant enhancements in SQL 
Server 2014 —especially with In-Memory OLTP. However, as 
1 you might expect after such a short release cycle, not every 
subsystem has been updated; there are no major changes to SQL Server 
Integration Services (SSIS), SQL Server Replication Services, or SQL 
Server Reporting Services (SSRS). Nonetheless, there are plenty of sig¬ 
nificant enhancements. Here are 10 new features in SQL Server 2014. 


(]) In-Memory OLTP Engine 

SQL Server 2014 enables memory optimization of selected tables and 
stored procedures. The In-Memory OLTP engine is designed for high 
concurrency and uses a new optimistic concurrency control mecha¬ 
nism to eliminate locking delays. Microsoft states that customers can 
expect performance to be up to 20 times better than with SQL Server 
2012 when using this new feature. For more information, check out 
“Rev Up Application Performance with the In-Memory OLTP Engine.” 


(D AlwaysOn Enhancements 

Microsoft has enhanced AlwaysOn integration by expanding the max¬ 
imum number of secondary replicas from four to eight. Readable sec¬ 
ondary replicas are now also available for read workloads, even when 
the primary replica is unavailable. In addition, SQL Server 2014 pro¬ 
vides the new Add Azure Replica Wizard, which helps you create 
asynchronous secondary replicas in Windows Azure. 
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@ Buffer Pool Extension 

SQL Server 2014 provides a new solid state disk (SSD) integration 
capability that lets you use SSDs to expand the SQL Server 2014 Buf¬ 
fer Pool as nonvolatile RAM (NvRAM). With the new Buffer Pool 
Extensions feature, you can use SSD drives to expand the buffer 
pool in systems that have maxed out their memory. Buffer Pool 
Extensions can provide performance gains for read-heavy OLTP 
workloads. 

@ Updateable Columnstore Indexes 

When Microsoft introduced the columnstore index in SQL Server 
2012, it provided improved performance for data warehousing que¬ 
ries. For some queries, the columnstore indexes provided a tenfold 
performance improvement. However, to utilize the columnstore 
index, the underlying table had to be read-only. SQL Server 2014 
eliminates this restriction with the new updateable Columnstore 
Index. The SQL Server 2014 Columnstore Index must use all the col¬ 
umns in the table and can’t be combined with other indexes. 

(D Storage I/O Control 

The Resource Governor lets you limit the amount of CPU and mem¬ 
ory that a given workload can consume. SQL Server 2014 extends the 
reach of the Resource Governor to manage storage I/O usage as well. 
The SQL Server 2014 Resource Governor can limit the physical I/Os 
issued for user threads in a given resource pool. 

Power View for Multidimensional Models 

Power View used to be limited to tabular data. However, with SQL 
Server 2014, Power View can now be used with multidimensional 
models (OLAP cubes) and can create a variety of data visualizations 
including tables, matrices, bubble charts, and geographical maps. 
Power View multidimensional models also support queries using 
Data Analysis Expressions (DAX). 
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0 Power Bl for Office 365 Integration 

Power BI for Office 365 is a cloud-based business intelligence (BI) 
solution that provides data navigation and visualization capabilities. 
Power BI for Office 365 includes Power Query (formerly code-named 
Data Explorer), Power Map (formerly code-named GeoFlow), Power 
Pivot, and Power View. You can learn more about Power BI at Micro¬ 
soft’s Power BI for Office 365 site. 


(D SQL Server Data Tools for Business Intelligence 

The new SQL Server Data Tools for BI (SSDT-BI) is used to create SQL 
Server Analysis Services (SSAS) models, SSRS reports, and SSIS pack¬ 
ages. The new SSDT-BI supports SSAS and SSRS for SQL Server 2014 
and earlier, but SSIS projects are limited to SQL Server 2014. In the 
pre-release version of SQL Server 2014, SQL Server Setup doesn’t 
install SSDT-BI. Instead, you must download SSDT-BI separately from 
the Microsoft Download Center. 

0 Backup Encryption 

Qne welcome addition to SQL Server 2014 is the ability to encrypt 
database backups for at-rest data protection. SQL Server 2014 sup¬ 
ports several encryption algorithms, including Advanced Encryption 
Standard (AES) 128, AES 192, AES 256, and Triple DES. You must use 
a certificate or an asymmetric key to perform encryption for SQL 
Server 2014 backups. 

0 SQL Server Managed Backup to Windows Azure 

SQL Server 2014’s native backup supports Windows Azure integra¬ 
tion. Although I’m not entirely convinced that I would want to depend 
on an Internet connection to restore my backups, on-premises SQL 
Server 2014 and Windows Azure virtual machine (VM) instances 
support backing up to Windows Azure storage. The Windows Azure 
backup integration is also fully built into SQL Server Management 
Studio (SSMS). ■ 
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Windows Azure Active 
Directory vs. Windows 
Server Active Directory 

Don't let the name fool you— 

It's very different, and it's the future 


T here’s been a lot of confusion about Windows Azure Active 
Directory (Azure AD) since it was unveiled to the public last 
year, though it has been running at scale for a while. Over the 
next few months. I’m going to cover the various combinations of 
Azure AD and Windows Server AD that you can use to support your 
company, and talk about the scenarios in which you might want to 
use them. Because Azure AD is a building block that’s key to these 
architectures, it’s important to give you a sense of what Azure AD 
is and what it isn’t. How is Azure AD like Windows Server AD, and 
where is it different? 

Azure Active Directory Really Is "AD in the Cloud"... Sort of 

Windows Server AD, specifically Active Directory Domain Services 
(AD DS), provides authentication and authorization (access con¬ 
trol) to applications, file services, printers, and other on-premises 
resources. It uses protocols such as Kerberos for authentication and 
LDAP for resource discovery. But AD DS, known as just AD, wasn’t 
designed to handle the world of web-based Internet services. 

Like AD DS, Azure AD also provides authentication and authori¬ 
zation to applications. Unlike AD DS, however. Azure AD was spe¬ 
cifically designed to support web-based services that use RESTful 
interfaces—services such as Salesforce.com, Concur, Google Apps, 
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and Office 365. Also unlike AD DS, it uses an entirely different set 
of protocols that work with these services—protocols such as SAML 
and OAuth 2.0. But at a high level, you could say that Azure AD 
really is an “AD service in the cloud” for cloud-based applications, as 
Figure 1 shows. 

Azure AD is not, however, simply an implementation of AD DS 
in Windows Azure. Far from it. Although the high-level functions 


Figure 1 

Functional 
Comparison of Active 
Directory Domain 
Services and Windows 
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of authentication, authorization, directory query, and user or group 
management are all there (and expanding on a monthly basis), the 
details of how these are accomplished are very different from AD DS. 
Azure AD is a gargantuan multi-tenant service that is the identity 
and access management (lAM) system underpinning all of Windows 
Azure, including Microsoft Online Services (MOS). The copy of Azure 
AD you can see and manage (your tenant) is a teeny little instantia¬ 
tion of a much larger whole, as Figure 2 shows. 
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Figure 2 

You're Just One of 
More Than 1.5 Million 
Azure Active Directory 
Tenants 


In addition to providing authentication and authorization for 
Microsoft Online Services and other Azure subscriptions. Azure AD 
has connected hundreds of SaaS applications to its service to provide 
single sign-on (SSO), either through federation for applications that 
support it or through password vaulting and form-based authentica¬ 
tion for those that don’t. In contrast, you must use AD DS plus AD FS 
on premises, then set up each connection yourself (and only for apps 
that support federation). 

Because it doesn’t exist in an identity void (the vast majority of 
enterprise user accounts are on premises in an AD DS forest). Azure 
AD supports the connection of a tenant (your Azure AD forest) to 
these on-premises forests via an identity bridge. Microsoft’s bridges 
are AD FS plus the Windows Azure Active Directory Synchroniza¬ 
tion tool (wisely shortened to “DirSync”) or the Azure AD connector 
for Forefront Identity Manager (FIM) 2010 for more complicated on¬ 
premises AD scenarios. There are also several excellent third-party 
bridges that can accomplish this task. 
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Pay Attention 

Why would you want to pay attention to Azure AD? Why should 
you squeeze one more bit of learning and skills into your already full 
day? First, if you use any of the Microsoft Online Services, such as 
Exchange Online, Office 365, or Windows Intune, the accounts you 
manage for these services are in Azure AD. So you’d better know 
how to use it. 

Second, if you’re considering using Identity as a Service (IDaaS)— 
and if you aren’t, you should—Azure AD is a new but rapidly grow¬ 
ing contender in this market. It’s quite clear that Microsoft aims to 
be competitive. It’s important to note that many of these other IDaaS 
solutions provide excellent capabilities. 

Finally, you should be conversant with Azure AD for one simple 
reason: It’s the identity infrastructure of Microsoft’s future. I’ll dive 
into this a little more deeply next month. 

For more information about Azure AD, you’ll find several videos 
about Windows Azure Active Directory, cartoon style, on Channel 9 
that describe its fundamental concepts. Some are a little dated, but only 
because the product’s capabilities are evolving so rapidly. MSDN has 
Windows Azure Active Directory technical documentation as well. ■ 
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Integrating iSCSI Target Server 
into System Center Virtual 
Machine Manager 2012 R2 

Once integrated, VMM can provision storage 
to managed hosts 

T he Microsoft iSCSI Target Server provides network-accessible, 
block-level storage to end users. The iSCSI Target Server made 
its appearance on the scene as an add-on feature in Windows 
Storage Server. Shortly thereafter, it was available to the public as 
a separate, free download that could be installed on supported ver¬ 
sions of the Windows Server OS. After introducing you to the iSCSI 
Target Server, I’ll show you how to integrate it (as a managed stor¬ 
age provider) into System Center Virtual Machine Manager (VMM) 

2012 R2. Once it’s integrated, VMM can provision storage to man¬ 
aged hosts. 

Introducing the iSCSI Target Server 

The iSCSI Target Server was included with the Windows Server 2012 
File Server role when it was released. The iSCSI Target Server is ideal 
for a variety of scenarios, including: 

• Deploying diskless servers using boot-capable network adapters 
or a third-party software loader 

• Providing remotely accessible storage (which can be continuously 
available if configured in a failover cluster) for applications run¬ 
ning on client or server machines 

• Heterogeneous environments, which can include third-party iSCSI 
initiators 


Chuck 

Timon 

is a senior support escalation 
engineer with Microsoft 
Commercial Technical 
Support. He specializes in 
high availability (failover 
clustering) and virtualization 
(Hyper-V and System Center 
Virtual Machine Manager) 
technologies. He has 
contributed to the Ask the 
Core Team, Microsoft App-V 
Team, and System Center: 
Virtual Machine Manager 
Engineering blogs. 

@ 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / April 2014 23 
















What Would Microsoft Support Do? 


A 


To make storage 
available to a host, 
you need to 
allocate storage to 
the host group that 
contains the host. 


• Development, test, demonstration, and lab environments in which 
the iSCSI Target Server is used to test applications or scenarios 
prior to deploying them in production environments 

The iSCSI Target Server was updated in Windows Server 2012 R2. The 

updates include: 

• A redesigned data persistence layer that uses the new Virtual 
Hard Disk (VHD) 2.0 format that was first introduced in Server 
2012. This new format (VHDX) provides greater storage capacity 
(up to 64TB) and better data corruption protection during power 
failures. Storage performance is enhanced because of better on- 
disk alignments and support for the newer large sector (native 
4K) drives. 

• An SMI-S provider that’s included with iSCSI Target Server. This 
provider allows for better integration with VMM. 

• New cmdlets in the Windows PowerShell module for the iSCSI 
Target Server. These cmdlets provide more management flexibility 
in different environments. 

• Improved disk-level caching functionality. The ISCSI Target Server 
sets the disk cache bypass flag on the host disk I/O through 
Force Unit Access (FUA) only when the initiator requests it. 

This provides the potential for further storage performance 
improvement. 

• Scalability improvements. The maximum number of sessions per 
target server has been increased to 544. The maximum number of 
LUNs per target server has been increased to 256. 


Enabling the iSCSI Target Server Feature 

As previously mentioned, the iSCSI Target Server is a feature (i.e., a 
role service) that’s part of the File Server role in Server 2012 R2. You 
can add this feature with the Add. Roles and Features functionality 
in Server Manager or with the InstalTWindowsFeature PowerShell 
cmdlet. 
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I’ll show you how to use the Install-WindowsFeature cmdlet to 
add this feature. If you don’t use PowerShell often, I recommend 
that you first run the Update-Help cmdlet. It will download the lat¬ 
est PowerShell cmdlet information, including Help topics and exam¬ 
ples from Microsoft. 

To add the iSCSI Target Server feature, open PowerShell and run 
the command: 

Install-WindowsFeature -Name FS-iSCSITarget-Server 

After the command successfully completes, you can verify the instal¬ 
lation using the command: 

Get-WindowsFeature -Name FS* | 

Where Install State -eq Installed 

Once the feature is installed, you can use Server Manager or PowerShell 
to manage it. 

Integrating the iSCSI Target Server with VMM 

Integrating a storage device such as the iSCSI Target Server with VMM 
requires either an SMI-S provider or a native Windows Management 
Instrumentation (WMI) Storage Management Provider. In Server 2012, 
you need to manually install the SMI-S agent on the iSCSI Target Server 
using the VMM 2012 SPl installation CD-ROM. One of the improve¬ 
ments in Server 2012 R2 is that the iSCSI Target Server SMI-S provider 
is installed with the feature. No additional installation or configuration 
is required. 

After the iSCSI Target Server feature is installed, you need to per¬ 
form the following steps to integrate it into VMM: 

1. Open the VMM console, connect to the VMM server, and 
navigate to the Providers category, which is under \Fabric\ 
Storage. 
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2. Right-click Providers and select Add Storage Devices. This 
action initiates the Add Storage Devices Wizard. 

3. On the Select Storage Provider Type page, select the SAN and 
NAS devices discovered and managed by an SMI-S provider 
option. Click Next. 

4. On the Specify Discovery Scope page, provide information 
about the protocol and SMI-S provider you want to use. In 
the Protocol drop-down list, select SMI-S WML In the Provider 
IP address or FQDN field, specify either the IP address or 
Fully Qualified Domain Name (FQDN) of the server hosting 
the iSCSI Target Server. Finally, in the Run As account field, 
specify the account you want to use to connect to the server. 
The account must have local administrator privileges on the 
server. Click Next. 

5. On the Gather Information page, you can watch as VMM con¬ 
nects to the iSCSI Target Server and collects information about 
the storage devices. You don’t need to do much on this page, 
except click Next after the data collection process finishes. 

6. On the Select Storage Devices page, choose the available stor¬ 
age pools that you want to be managed by VMM. Be sure to 
exclude the system drive for the server. When you’re done, 
click Next. 

7. On the Summary page, check the settings and click Finish. 

After the Add Storage Devices Wizard finishes, you need to verify 
that the integration was successful. In the VMM console, navigate to 
\Fabric\Storage. In the Providers category, make sure that the iSCSI 
Target Server status is Responding. In the Arrays category, click the 
listing for the iSCSI Target Server and inspect the displayed informa¬ 
tion, especially the storage pool information, as shown in Figure 1. In 
the Classifications and Pools category, expand the classifications that 
were applied to the iSCSI Target Server storage pools and inspect the 
information displayed for each pool, as shown in Figure 2. 
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Figure 1: Inspecting the Array Information 



Figure 2: Inspecting the Pool Information 


Provisioning Storage 

Once VMM is managing the iSCSI Target Server, storage can be pro¬ 
visioned and allocated to hosts. This requires a little preparation on 
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Figure 3 

Adding an iSCSI Array 


r 


the host—namely, starting the Microsoft iSCSI Initiator Service and 
setting it to run automatically. This can be accomplished in Server 
Manager (\Tools\Services) or at the PowerShell command line. You 
can also run a short PowerShell script similar to this: 

Invoke-Cottimand -ComputerName Contoso-HYPl -ScriptBlock { 
Set-Service -Name MSiSCSI -StartupType Automatic 
Start-Service MSiSCSI 

} 


After starting the iSCSI Initiator Service on a host, you need to 
access the host’s properties in the VMM console. On the host’s Prop¬ 
erties page, click Storage in the left pane. In the right pane, click Add 
and choose Add iSCSI Array, as Figure 3 shows. In the Create New 
iSCSI Session dialog box shown in Figure 4, provide the requested 
information for the iSCSI Target Server session. After establishing a 
session with the iSCSI Target Server, data will be displayed indicating 
the total storage capacity available and the number of managed stor¬ 
age pools. 

With storage now available, the next step is to create LUNs to 
assign to the hosts. In the VMM console, click the Create Logical 
Unit option on the Home ribbon. (Alternatively, you can click the 




contoso ‘hyp 1 xontoso.co m Properti es 




Storage 


Status 


jx Rctnqyve | 

Hardware 


^ Add Oisk 



J Add iSCSI Array 


Host Aecesi 


_ Add fibre ChArmel A/iiy 




Add file Share 


VtftuAl Machine Paths 






B SAS Arrays 




B File Shares 



K 



VrftUil SwikhffS 




28 Windows IT Pro / April 2014 


WWW.WINDOWSITPRO.COM 







What Would Microsoft Support Do? 



Figure 4 

Creating a New iSCSI 
Target Server Session 


Create button and choose Logical Unit.) In the Create Logical Unit 
dialog box, select an available storage pool, provide a name for the 
LUN, add a description if desired, specify a size (i.e., capacity), and 
click OK. After the LUN is created, it appears in the Classifications 
and Pools display under the appropriate classification. As Figure 5 
shows, the LUN is associated with the iSCSI Target storage pool. In 
Figure 5, notice that the new LUN hasn’t yet been assigned (Assigned 
= No). This isn’t an anomaly. You need to allocate storage to the 
host before the LUN can be assigned. (If at any time you do encoun¬ 
ter storage-related anomalies in the VMM console display, locate 
the iSCSI Target Server entry under \Fabric\Storage\Providers and 
execute a Refresh job.) 
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Examining the LUN 
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Allocating Storage to the Host 

To make storage available to a host, you need to allocate storage 
to the host group that contains the host. When allocating storage 
to a host group, you allocate both storage pools and LUNs. First, 
you allocate the storage pools by opening the host group’s Proper¬ 
ties page, clicking the Allocate Storage Pools button, and providing 
the requested storage pool information in the Allocate Storage Pools 
dialog box. For this example, I allocated four storage pools to a host 
Figure 6 group named Hyper-V Servers, as shown in Figure 6. Next, you allo- 
Allocating Storage ^UNS by clicking the Allocate Logical Units button on the 

Group group’s Properties page and providing the requested LUN infor- 

_ mation in the Allocate Logical Units dialog box. As Figure 7 shows. 
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Figure 7 

Allocating LUNs to the 
Host Group 


for this example. I’m allocating two LUNs from Storage Pool D to the 
host group. 

At this point, you can add the storage to an available host in the 
host group. To do so, open the host’s Properties page in the VMM 
console and click Storage in the left pane. In the right pane, click Add 
and choose Add Disk, as shown in Figure 8. In the dialog box that 
appears, you need to select the LUN you want to use and provide the 
requested information, as Figure 9 shows. 

On the host, the disk will be shown as Online after the job com¬ 
pletes. On the iSCSI Target Server, the disk will be shown as Connected 
in Server Manager, as you can see in Figure 10. The storage is now 
ready for use. 
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Figure 8 

Adding a Disk 
to a Host 
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Configuring 
the Host's Disk 
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Figure 10 

Making Sure the Disk 
Is Connected 
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What Would Microsoft Support Do? 

A Management Platform for the Private Cloud 

I provided you with an example of how to integrate Microsoft’s iSCSI 
Target Server into VMM, but you can integrate other compatible third- 
party storage vendor solutions into VMM as well. For information 
about supported third-party solutions, refer to the TechNet article 
“Supported Storage Arrays for System Center 2012 VMM.” I hope the 
information I presented here has been useful and has demonstrated 
the flexibility provided by VMM as a management platform for the 
private cloud. ■ 
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^Understanding 

Hyper-V Networking 

with System Center Virtual Machine 
Manager 2012 R2 

Cut through the confusion 


I n most IT environments, there are different types of networks, dif¬ 
ferent ways the networks are used, and different types of connectiv¬ 
ity for the different hosts. System Center Virtual Machine Manager 
(VMM) 2012 R2 provides the various architectural components (e.g., 
port profiles, logical networks, logical switches, virtual networks) to 
enable even highly complex network environments to be configured, 
which simplifies future administration. However, the initial network¬ 
ing configuration can be confusing. I’ll walk you through all the 
VMM networking architectural components and how to use them. 
This walkthrough assumes that you’re already fam ili ar with Hyper-V 
networking basics, such as the types of virtual switches. 

Logical Networks 

Most organizations have different types of networks, such as a cor¬ 
porate network, management network, demilitarized zone (DMZ), 
Internet network, backup network, and testing network. The different 
networks might be separated physically or separated using network¬ 
ing concepts such as Virtual LAN (VLAN), Private VLAN (PVLAN), 
and network virtualization. Each of these networks is defined inside 
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VMM as a logical network, which is the primary building block to 
help model your physical network infrastructure and connectivity. 

In addition, an organization might have different physical locations 
or data centers. In this situation, VMM lets you define a logical net¬ 
work that includes details about the sites it exists at, along with the 
configuration required at each site. For example, suppose an organiza¬ 
tion has a management network at its Dallas and Houston locations. 
In Dallas, the management network uses the 10.1.1.0/24 subnet with 
VLAN 10, whereas in Houston, the management network uses the 
10.1.2.0/24 subnet with VLAN 20. This information can be modeled 
in VMM using network sites, which are linked to a VMM host group 
and contained within a logical network. This setup enables VMM 
to assign not only the correct IP address to virtual machines (VMs) 
based on location and network but also the correct VLAN or PVLAN. 
This is a key point. The logical network is modeling the physical net¬ 
work, so it’s important your objects match the physical topology such 
as the correct IP and VLAN configuration. A network site in a logical 
network doesn’t have to reflect an actual physical location but rather 
a specific set of network configurations. 

A network site can be configured with just an IP subnet, just a 
VLAN, or an IP subnet/VLAN pair. You only need to configure IP sub¬ 
nets for a site if VMM will be statically assigning IP addresses to VMs 
created within the site. If DHCP is present, no IP subnet configuration 
is required. If VLANs aren’t being used, you don’t need to configure 
a VLAN. If DHCP is used on the network and VLANs aren’t used, you 
don’t have to create any network sites. 

After the network sites are defined within a logical network, you 
can add IP pools to the defined IP address subnet, which enables 
VMM to configure VMs with static IP addresses as the VMs are 
deployed. If DHCP is used on the network, there’s no need to con¬ 
figure IP pools in VMM or even specify the IP subnet as part of the 
site configuration. DHCP would be leveraged for the IP assignment. 
However, if you don’t have DHCP, creating the IP pool allows VMM 
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to handle the IP assignment for you. When a VM is deleted, VMM 
reclaims the IP address for its pool. Even when DHCP is primarily 
used on the network, if you’re using features such as load balancing 
as part of a service, VMM has to be able to allocate and track that IP 
address, which will require the configuration of an IP pool. If no IP 
pool is created for a network site, VMM configures the VMs to use 
DHCP for address allocation. 

When using VMM, you should try to minimize the number of logi¬ 
cal networks to keep the configuration as simple as possible. You 
should create logical networks only when you need them. For exam¬ 
ple, as Figure 1 shows, I have several logical networks defined: a cor¬ 
porate network that has its own DHCP, an Internet network, a private 
network, two lab networks that use VLANs to separate communica¬ 
tion (VMM allocates the IP addresses in these lab networks), and a 
network virtualization-enabled network that has an IP pool used for 
the Hyper-V host communications. 


Figure 1 

Exploring a Sample 
Logical Network 
Configuration 



Virtual Machine Networks 

The goal for virtualization is to separate and abstract the logical net¬ 
works from the VMs. This abstraction is achieved through the use of 
VM networks, which is another networking architectural component 
in VMM. When you use VM networks, the VMs have no idea of the 
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underlying technology (e.g., VLANs, network virtualization) used 
by the logical network. A VM’s virtual network adapter can only be 
connected to a VM network. When network virtualization is used, 
the Customer Address (CA) space (i.e., the IP addresses given to the 
VMs) is defined as part of the VM network. This allows specific VM 
subnets to be created as needed within the VM network, completely 
separate from the logical network IP configuration. 

There are some scenarios in which the isolation provided by VM 
networks isn’t required. For example, you don’t need isolation when 
direct access to the infrastructure is required, such as when the VMM 
server is running on a VM. In these instances, you can create a no¬ 
isolation pass-through VM network that directly passes communi¬ 
cation through to the logical network. The VM network is present 
only because a VM’s virtual network adapter needs to connect to a 
VM network. If a logical network has multiple network sites defined, 
when you deploy a VM, it will automatically pick the correct IP sub¬ 
net and VLAN configuration based on the location to which you’re 
deploying the VM. Users of self-service type portals are exposed to 
VM networks but not the details of the underlying logical networks. 

Although logical networks are defined as part of the networking fab¬ 
ric view within the Fabric workspace, VM networks are defined within 
the VMs and Services workspace. When creating a VM network, you 
need to specify which logical network and specific site it relates to. 

Port Profiles and Port Classifications 

There are two types of port profiles: virtual port profiles and uplink 
port profiles. With virtual port profiles, you can configure settings 
that will be applied to virtual network adapters attached to VMs or 
virtual network adapters used by the management host OS. The set¬ 
tings can include: 

• Offload settings such as those used to configure virtual machine 
queue (VMQ), IPsec task offloading, and single root I/O virtual¬ 
ization (SR-IOV) 
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• Security settings such as those used to configure DHCP guard 

• Guest teaming settings 

• Quality of Service (QoS) settings such as minimum and maximum 

bandwidth settings 

VMM provides a number of built-in virtual port profiles for com¬ 
mon network adapter uses, many of which are aimed at virtual net¬ 
work adapters used by the host QS. After a virtual port profile is used 
within a logical switch and the logical switch is deployed to a host, 
the host will be flagged as noncompliant if the virtual port profile 
configuration is changed, because the host’s configuration no lon¬ 
ger matches the configuration of the virtual port profile. To fix this 
problem, you can easily remediate the servers to apply the updated 
configuration. 

An uplink port profile defines the connectivity of the virtual 
switch to the logical networks. You need a separate uplink port pro¬ 
file for each set of hosts that require the same physical connectivity. 
(Remember that the logical networks define the physical network.) 
Conversely, anytime you need to restrict a logical network to specific 
hosts in the same location or need custom connectivity, you need a 
different uplink port profile. In the uplink port profile, you can select 
the logical networks that will be available as part of the logical net¬ 
work and the NIC teaming configuration when used on hosts. No 
preconfigured uplink port profiles are supplied, because their primary 
purpose is to model the logical networks that can be connected and, 
by default, there are no logical networks. If a change is made to the 
uplink port profile definition (e.g., a new VLAN is added), VMM will 
use a logical switch to automatically update all the virtual switches 
on the Hyper-V hosts that use the uplink port profile. 

Port classifications are also available. They’re containers for port 
profile settings. You can think of port classifications as storage clas¬ 
sifications, where you might create a gold storage classification that 
uses a top-of-the-line SAN and a bronze storage classification that 
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uses a much lower tier of storage. Or you might create a high band¬ 
width classification and low bandwidth classification. 

The benefit of the port classification is that it acts a layer of abstrac¬ 
tion between the port profiles assigned to the logical switches. Because 
of this abstraction layer, you can assign a port classification to a VM 
template, but have a VM’s logical switch determine the port profile 
to be used. 

VMM includes a number of port classifications that correlate to 
the provided virtual port profiles. Port classifications are linked to 
virtual port profiles as part of the logical switch creation process. Like 
VM networks, port classifications are exposed to users through self- 
service portals and not the underlying port profiles. 

Logical Switches 

Although it’s possible to manually perform virtual switch configura¬ 
tions on a server-by-server basis, it can lead to inconsistencies. In 
addition, it inhibits the automatic deployment of new Hyper-V hosts. 

Fortunately, VMM has the logical switch component, which acts as 
a container for all virtual switch settings. It also ensures a consistent 
deployment of switch configurations across all servers. Automatic 
configuration with the logical switch is useful for not only deploy¬ 
ments but also compliance tracking and enforcement. After a host is 
deployed using the logical switch component, VMM will continue to 
track the host’s configuration and compare it to the logical switch’s 
configuration. If the host’s configuration deviates from that of the 
logical switch, this configuration will be flagged as noncompliant, 
which you can then resolve through the administrative interface. If 
the logical switch is updated (e.g., a new extension is added), all the 
Hyper-V hosts using the logical switch will automatically be updated. 
When configuring the logical switch, you can specify: 

• The Hyper-V virtual switch extensions that should be deployed to 
the hosts. 

• The uplink port profiles that relate to the switch. 
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• The port classifications for the various types of virtual ports. For 
each port classification, you can select a specific virtual port pro¬ 
file to be used for the logical switch, as Figure 2 shows. 
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Figure 2 

Assigning a Port 
Classification and 
Virtual Port Profile to a 
Logical Switch 


As part of the logical switch component deployment, you can have 
VMM automatically configure NIC teaming on the Hyper-V hosts. You 
just need to select multiple network adapters on the host when apply¬ 
ing the logical switch to the host. This means that you don’t need to 
make any networking configurations on the actual Hyper-V host. You 
do everything in VMM. 
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How to Design and Implement a Network 

Before you design and implement your network in VMM, you must 
first disable VMM’s Create logical networks automatically option. This 
option is enabled by default, which means that if you add a Hyper-V 
host to VMM for management purposes, VMM will automatically cre¬ 
ate a logical network for it if no suitable existing match is found. Here’s 
how to disable this option: 

1. Open VMM. 

2. Open the Settings workspace. 

3. Select the General navigation node. 

4. Double-click Network Settings in the details pane. 

5. In the Network Settings dialog box, clear the Create logical 
networks automatically check box and click OK. 

Now you can safely design and implement your network in VMM. 
Here are the steps: 

1. Create the logical networks that relate to your physical networks. 
(You can also create logical networks for communication isola¬ 
tion purposes.) Create IP pools for the sites you defined in the 
logical network. 

2. Create the VM networks that relate to sites within the logical 
networks. Where network virtualization is used, you can create 
IP pools for the VM subnets to be used for assignment to VMs 
connected to the virtual networks. 

3. Create the uplink port profiles. As mentioned previously, they 
describe the connectivity between a specific port (which will be 
assigned later) and the logical networks. This essentially tells 
VMM which networks a specific NIC on a host can connect to. 

4. Create custom virtual port profiles if needed. VMM provides 
many virtual port profiles for the various types of traffic, but 
you can create additional virtual port profiles if needed. 

5. Create custom port classifications if needed. Port classifica¬ 
tions typically reflect the virtual port profiles. Therefore, if you 
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created additional virtual port profiles, you’ll likely need to cre¬ 
ate additional port classifications. 

6. Create a logical switch. Specify the type of teaming to use, the 
uplink port profile, the port classifications, and the virtual port 
profile that relates to each port classification. 

7. Apply the logical switch to a host and select the network adapt¬ 
ers on the host to be bound to the logical switch, as shown in 
Figure 3. You can create additional virtual network adapters for 
use by the host OS within the possible port classifications that 
you assigned to the logical switch. 
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Figure 3 

Applying a Logical 
Switch to a Host and 
Selecting the Network 
Adapters 


When you apply the logical switch to the Hyper-V host, all the 
networking configurations will be automatically made. Afterward, 
you’ll be able to view the server, any NIC teams created, the vir¬ 
tual switches, and the virtual network adapters related to the logical 
switch in VMM. Figure 4 illustrates all the relationships among the 
various VMM architectural components in a sample network. 
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Among the Various 


VMM Architectural Not As Bad As It Initially Seems 

Components in a Initially, the number of architectural components related to Hyper-V 

Sample Network networking in VMM can seem intimidating, but the reality is once 

you understand what they actually do, it’s really not that bad. After 
you finish the main work of defining the networks and creating the 
logical switches, the ongoing maintenance is very light. ■ 
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What’s New in 
Exchange Server 2013 SPl 

Besides providing product changes, 

SPl is serving another important role 


I n some circles, it has long been an article of faith that a new Microsoft 
OS or server product should be treated cautiously until the release 
of the first service pack. Fair or not, this perception has resulted in 
many customers waiting for service pack releases before beginning 
a broad deployment of new versions, thereby slowing the deploy¬ 
ment of new products. On February 25, 2014, Microsoft released SPl 
for Exchange Server 2013. It includes new features, improvements to 
existing features, and bug fixes for flaws not addressed in previous 
cumulative updates. In addition to these product changes, SPl serves 
as a barometer of how well Microsoft’s new servicing model for 
Exchange is working. Early indications are positive—but will SPl’s 
new features, improvements, and bug fixes be enough to convince 
you to deploy Exchange 2013? Let’s take a look. 

SPl and the Servicing Model 

In February 2013, Microsoft announced that it was changing the way 
it releases Exchange updates. In its blog entry “Servicing Exchange 
2013,” the Exchange Server Team stated that the new servicing 
model would be a predictable schedule of quarterly releases known 
as cumulative updates. Each cumulative update would include 
all fixes and patches released since the release to manufacturing 
(RTM) version. That way, installing the latest cumulative update 
would bring any previous release of Exchange 2013 up-to-date. The 
Exchange Team also stated that cumulative updates might contain 
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new features, including features that require Active Directory (AD) 
or Exchange database schema updates. 

This servicing model has had its ups and downs. Although many 
administrators appreciate the predictability of a quarterly release 
cadence, others find that quarterly updates arrive faster than their 
organizational processes allow them to test and deploy updates. 
Including new features in cumulative updates further complicates 
deployment, because many organizations have change control poli¬ 
cies that govern when new features can be introduced into an existing 
environment. These challenges notwithstanding, the Exchange world 
seems to have accepted the quarterly release model and adapted to it, 
at least for the most part. 

You might consider that SPl is really CU4. After all, SPl is the 
fourth major update released for Exchange 2013, and as with previous 
service packs, it includes all fixes and patches released since RTM, so 
it’s clearly a cumulative update. In fact, the next release planned after 
SPl will be labeled as CU5, so that raises the reasonable question of 
why Microsoft named this release as a service pack. It certainly might 
have to do with the waiting-for-SPl issue I mentioned previously. 

Software quality has been a separate and troublesome issue for the 
cumulative update system. On multiple occasions over the past year, 
Microsoft has had to either delay or remove and re-release updates 
for Exchange 2013 because of quality problems. For example, in what 
must have been a major embarrassment for the product team, a week 
after SPl was released, Microsoft had to release a fix for SPl to enable 
third-party SMTP transport agents to work properly. The released SPl 
code contained a typo in a configuration file that prevented the exten¬ 
sions from working. (For more information about the problem and 
fix, see the Microsoft Support article “Third-party transport agents 
cannot be loaded correctly in Exchange Server 2013.”) 

However, it’s unfair to suggest that quality is being sacrificed to 
meet the quarterly release schedule. In addition, because the same 
code is now being used for Office 365 and on-premises installations. 


46 


Windows IT Pro / April 2014 


WWW.WINDOWSITPRO.COM 






Exchange 2013 SP1 


Microsoft has arguably suffered just as much as other customers 
when a flaw makes it through the release testing process. CU3 has 
generally been regarded as a good-quality release, and Microsoft has 
proven that it would rather delay the release of an update to make 
sure it’s solid than release it on schedule but with known problems. 
SPl has been functionally very stable in my testing. Even the post¬ 
release problem with the transport agents was more of a minor annoy¬ 
ance than anything else, and it was easily fixed. When deployed at 
customer sites, the functional stability of SPl should go a long way 
toward reinforcing Microsoft’s message that it places an extremely 
high value on the quality of its releases. 

SPl Installation 

When you download SPl, you’ll notice that it’s large—about the 
same size as a fresh install of Exchange 2013 RTM. That’s because 
you can use SPl to perform an in-place update of any previous 
version of Exchange 2013 or a clean install on a new server. The 
installation process is functionally identical in either case—and it’s 
the same as the installation process for RTM: The installer offers to 
download the needed prerequisites as part of its lengthy pre-install 
check, then performs the installation, which can take anywhere 
from 45 to 120 minutes. 

Before you install SPl, you need to keep in mind that the installa¬ 
tion will wipe out any customizations you’ve made to configuration 
files on your servers. For example, if you customized web.config so 
that your Outlook Web App (OWA) users have access to the inte¬ 
grated Microsoft Lync client, installing SPl will overwrite your cus¬ 
tomizations. Make sure you back up these files (typically, web.config 
and EdgeTransport.exe.config) before performing the installation. 

When you install SPl on a server that contains mailboxes, those mail¬ 
boxes won’t be available while the installation is running. Although it’s 
not strictly required, it’s a good idea to put database availability group 
(DAG) member servers into maintenance mode before beginning the 


WWW.WINDOWSITPRO.COM 


Windows IT P 


SP1 strikes a 
balance between 
features that will 
be of interest to 
administrators and 
those that will be 
of interest to end 
users. 


/ April 2014 47 





Feature 


A 


update. You can do this yourself, but an easier route is to use scripts 
such as those developed by Michael van Horenbeeck. 

Because SPl includes changes to the database schema, installing 
SPl will run the Update-DatabaseSchema cmdlet to update the data¬ 
bases in each DAG but not until all the servers in the DAG have been 
updated to SPl. The update process checks three parameters of each 
database: MinimumSupportedDatabaseSchemaVersion, Maximum 
SupportedDatabaseSchemaVersion, and RequestedDatabaseSchema 
Version. Installing a cumulative update or service pack can update 
MaximumSupportedDatabaseSchemaVersion (if that cumulative 
update or service pack includes a schema update) and Requested 
DatabaseSchemaVersion. If the value of RequestedDatabaseSchema 
Version is larger than the value of CurrentSchemaVersion, the data¬ 
base should be updated the next time it’s mounted if all the member 
servers in the DAG have the correct version of code. For more details 
about how this works in practice, see the Exchange Team Blog entry 
“Exchange 2013 database schema updates.” 

There are no hard-and-fast rules controlling which servers to update 
first. The emerging best practice seems to be to first update any dedi¬ 
cated Client Access servers (if you have any), including hybrid serv¬ 
ers used for communications with Office 365, then update your DAGs, 
either in parallel or one at a time. 

One oddity noted during the beta testing of SPl is that under some 
conditions, the Exchange transport services won’t restart properly 
after the service pack installs. You can manually restart the trans¬ 
port services yourself. However, there’s another solution: Although 
Exchange service packs don’t require that you reboot servers after 
updating them, it’s generally a good idea to do so—and it frees you 
from having to manually restart the services. 

The Invisible Groundwork 

As with any service pack, SPl concentrates on fixing existing bugs. 
Microsoft doesn’t always release a complete list of all the fixes included 
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in cumulative updates for Exchange, but with the SPl release, it did 
in the Microsoft Support article “Description of Exchange Server 2013 
Service Pack 1 . ” The list makes for interesting reading, although most 
administrators won’t run into more than a few of the listed items. If 
you aren’t having a problem with a bug, the fix for it might as well 
be invisible to you. 

There are two other categories of “invisible” changes included in 
SPl, and they both relate to changes made to support Office 365. 
Microsoft has been very public with its plans to put new Exchange fea¬ 
tures into Office 365 first, so some SPl changes are related to features 
that aren’t yet announced or enabled. For example, in January 2014, 
the Office 365 team announced that a new feature for OWA known 
as People View would be rolled out “in the next several months.” 
The code for People View is obviously part of the OWA code base, so 
it’s reasonable to assume that the code was included in SPl, even if 
the feature isn’t available for on-premises Exchange servers yet. The 
other category of invisible SPl changes relates to feature changes or 
bug fixes that pertain only to Office 365 operations and interoperabil¬ 
ity. Because Microsoft is running Office 365, administrators won’t see 
these changes exposed directly. 

New Features in SPl 

SPl strikes a balance between features that will be of interest to 
administrators and those that will be of interest to end users. Some 
features could’ve easily been predicted (such as support for Windows 
Server 2012 R2), whereas other features are surprising. 

One surprise is the introduction of a new feature code-named 
Alchemy, properly known as MAPI over HTTP. Notice that “RPC” isn’t 
included in that name. When MAPI over HTTP is enabled. Outlook 
2013 SPl and later clients can connect to Exchange 2013 SPl (and 
Office 365) servers using pure HTTP Secure (HTTPS), into which 
Messaging API (MAPI) is tunneled. Unlike remote procedure calls 
(RPCs), HTTPS works reliably over both flaky and mobile networks. 
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as demonstrated by the solid performance of Exchange ActiveSync 
(EAS) and Exchange Web Services. Reconnection is faster, too. In 
addition, doing away with RPCs dramatically simplifies troubleshoot¬ 
ing. There’s no requirement to tunnel RPC traffic, which means that 
you don’t need any workarounds to get RPC traffic through various 
kinds of firewall devices. 

Outlook 2013 SPl and later will send a new header in their Auto- 
discover requests. If the server supports MAPI over HTTP and it’s 
enabled, the Autodiscover manifest will include a URL to the new 
emsmdb virtual directory and prompt the user to restart Outlook. 
After the restart, the user’s Outlook profile will be updated to use that 
virtual directory as an endpoint. 

On the negative side, Microsoft has stated that MAPI over HTTP 
uses more bandwidth in exchange for its improved performance, but 
it hasn’t said how much more bandwidth or how much performance 
improvement you get in return. It remains to be seen how this feature 
will impact live deployments. 

To take advantage of MAPI over HTTP, you need to enable it for 
your organization using the Set-OrganizationConfig cmdlet. It can’t 
be enabled on individual servers. Perhaps worst of all, after you 
enable the feature, connected Outlook users will receive the dreaded 
dialog box that tells them to restart Outlook because the Exchange 
administrator has made a configuration change—a surefire genera¬ 
tor of support calls and user discontent. For these reasons, I expect 
the adoption of MAPI over HTTP to be fairly slow until there’s more 
real-world data about how it performs. If you decide to enable it, be 
sure to read the release notes, which point out a potential perfor¬ 
mance problem (and the required fix) for servers that were upgraded 
to SPl from a previous cumulative update. (For much more informa¬ 
tion about MAPI over HTTP, see Tony Redmond’s article “Exchange 
Server 2013 Transitions from RPC to HTTP.”) 

There are several other new features in SPl that will appeal mostly to 
organizations that are using particular specialized features in Exchange: 
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• For those organizations that depend on Secure MIME (S/MIME) 
security, OWA now supports creating and receiving S/MIME 
encrypted and signed messages. This capability is especially wel¬ 
come for organizations that want to protect email against govern¬ 
ment surveillance or rogue administrators (either their own or 
hosting providers’ administrators) because S/MIME encrypts mail 
when it’s sent and keeps it encrypted during transport, routing, 
and storage. 

• OWA and Exchange Admin Center (EAC) now support the use of 
Active Directory Federation Services (ADFS) with claims-based 
authentication. This might seem esoteric, but the upshot is that 
you can now use OWA and EAC with two-factor authentica¬ 
tion (including smartcards and certificate-based authentication) 
through this mechanism. 

• Organizations that have multiple AD forests can now synchronize 
them with a single Office 365 tenant. Although many-to-one direc¬ 
tory synchronization has been possible for a while, it’s now fully 
supported—welcome news for companies with complex multi¬ 
forest environments. 

SPl also has some new features for end users, the majority of which 

are actually in OWA: 

• OWA now features a rich-text editor. As Figure 1 shows, it lets 
users include tables, images, and other content types in their 
email messages. 

• OWA can now work in offline mode when it’s used with ver¬ 
sions of Mozilla Firefox that support the HTML5 Applica¬ 
tion Cache (AppCache) mechanism. It’s not really clear from 
Mozilla’s documentation exactly when this support was added, 
but it looks like version 25 and later work with OWA in offline 
mode. 

• Some types of Office apps can now be used in the OWA message- 
composition window. 
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Here's an excerpt - Internet Explorer 
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:E3 SEND X DISCARD | INSERT # APRS 


To: John M. Browning; 


Cc; 
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Subject; Yay for rich text 
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Tables are supported too, although the controls are a bit more primitive than they are in Word: 
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.The rich te>ct editor also supports right-to-left text entry^ which is handy for languages that require it 


Figure 1 

New Rich-Text Editor possible that there are other embedded features (such as People 

inOWA View, which I mentioned previously) in SPl that Microsoft hasn’t 
- announced or enabled yet. We’ll have to wait and see. 
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Two Features That Are Back 

Some time ago, Microsoft announced that the Edge Transport role 
would be returning to Exchange 2013, and sure enough, it shipped 
as part of SPl. The Exchange 2013 version offers the same feature set 
as the Exchange 2010 version, but it’s been updated to work with the 
Exchange 2013 transport engine. 

Relatively few customers have deployed the Edge Transport role to 
date in Exchange 2010 environments. The reason for this is simple. 
There are many excellent anti-spam and anti-malware servers and 
services (including Microsoft’s Exchange Online Protection), and the 
Edge Transport role doesn’t offer anything particularly compelling to 
entice customers away from those other solutions. However, with the 
advent of Office 365, it does have one extremely attractive feature: 
You can put an Edge Transport server in between your on-premises 
Exchange 2013 or Exchange 2010 servers and Office 365. Microsoft 
doesn’t support the use of third-party message hygiene or relay 
servers between on-premises and cloud servers in hybrid Exchange 
deployments, but you can put an Edge Transport server in between 
on-premises servers and the cloud and use its transport, filtering, 
scanning, and routing features on inbound and outbound mail. This 
is a big deal to organizations that need mail filtering and processing 
in the perimeter network. Now that there’s a 2013 Edge Transport 
role, you can expect to see it appear in enterprise hybrid tenants 
without delay. 

Another feature that has returned thanks to SPl is Exchange Man¬ 
agement Shell (EMS) command logging in EAC. The log provides an 
easy way to see what EMS commands run when you take specific 
actions in EAC, making it valuable both as an audit trail and a learn¬ 
ing aid. For example, the log in Figure 2 shows that several Get cmd- 
lets were run, along with some explicit cmdlets triggered as the result 
of administrator actions in EAC. By default, the log contains the last 
500 commands executed and is updated as long as EAC is open. Clos¬ 
ing an EAC session removes the log contents. 
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EMS Command 
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100 % ^ 


Enhancements to Existing Features 

There are relatively few enhancements to existing features in SPl, but 
the enhancements made to the Data Loss Protection (DLP) feature 
and to DAGs are worthy of mention. 

DLP. The DLP engine has been enhanced with new DLP rule sets 
for additional regions and countries. In addition, you can now upload 
a document template (such as an order form or health record form) 
and use it as a “fingerprint” that the DLP system can use to recognize 
potential leaks of sensitive information. 
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Another DLP enhancement is that OWA can now display Policy 
Tips driven by the DLP features in Exchange 2013. This brings OWA to 
parity with Outlook 2013, which means that users who can’t or don’t 
want to use Outlook 2013 can still get DLP notifications. Because the 
OWA for Devices applications render content using the server-side 
OWA engine, those clients can also display Policy Tips. (For more 
information about DLP, see Tony Redmond’s article “Exchange Server 
2013 Data Loss Prevention.”) 

DAGs. You can now create a DAG that doesn’t have an IP address, 
cluster name, or network name associated with it. This probably 
won’t be a popular option for a while because you can’t change an 
existing DAG into a nameless one (or vice versa). In addition, you 
can create such a DAG only when all the member servers are running 
Server 2012 R2. Removing the administrative access point from DAGs 
in this manner means you no longer need to pre-stage IP addresses 
or cluster name objects (CNOs), and you don’t have to care about 
which specific subnet a given server is in if your DAG spans multiple 
subnets. In addition, now that there’s no dependency on a GNO, dam¬ 
age to or removal of the GNO can’t affect the cluster or the DAG on 
which it depends. 

Another enhancement is that DAGs can now take advantage of 
the dynamic witness and dynamic quorum features of Server 2012 
R2, as explained in some detail by Microsoft’s Scott Schnoll in his 
blog “Windows Server 2012 R2 and Database Availability Groups.” 
Because Server 2012 R2 enables dynamic quorum and dynamic wit¬ 
ness by default on newly created Windows Failover Gluster objects, 
creating a new DAG on Server 2012 R2 servers will result in Exchange 
using these features automatically. Exchange 2013 SPl will also take 
advantage of the new method that Server 2012 R2 uses for detecting 
when a cluster is hung and needs to be restarted. 

The other DAG-related change worth noting is the emergence of a 
new method for deciding when to truncate transaction logs. Known 
as loose truncation, this method is designed to handle the case where 
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one copy of a database in a DAG goes offline. In Exchange 2013 and 
Exchange 2010, the active copy of a database isn’t allowed to truncate 
its transaction logs if one or more passive copies of the database are 
suspended. All the passive copies will continue to accumulate logs, as 
long as there’s an active copy. Therefore, having a passive copy that’s 
offline for an extended time can cause disk space shortages. With 
loose truncation enabled (it’s off by default), you can change this 
behavior to something closer to the way that circular logging works in 
earlier versions of Exchange. Each copy manages its own set of logs, 
truncating as necessary when space runs low, but still respecting the 
loose truncation settings that govern the minimum number of logs 
to keep. TechNet provides a good explanation of loose truncation in 
“Managing Mailbox Database Copies.” 


A Solid Release 

One of the big advantages of the new servicing model is that software 
updates can be tested in Office 365 before being released for on¬ 
premises customers. Before its official release, SPl had already been 
running on Office 365 for quite some time. In addition, the SPl pre¬ 
release code was put into production at several large enterprise cus¬ 
tomers participating in a beta-testing program (i.e., the Technology 
Adoption Program, or TAP). The early signs from these programs are 
quite promising, which is great news given the number of custom¬ 
ers who routinely wait for SPl before deploying any new release. In 
addition, the ability to run on Server 2012 R2, the new DTP capabili¬ 
ties, and the presence of the Edge Transport role will all help unblock 
deployments for certain customers. Overall, SPl is a solid feature 
release and, if its quality proves out, should noticeably help acceler¬ 
ate the rate of Exchange 2013 deployment. ■ 
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Working with Files Using 
PowerShell Cmdlets 

Here are 7 cmdlets that let you easily 
manage your files 


W indows PowerShell offers four different ways to work with 
files. Your options include using cmdlets, using DOS com¬ 
mands, using Windows Management Instrumentation (WMI), 
and using Microsoft .NET Framework methods. 

• Using cmdlets. There are a number of cmdlets geared specifically 
toward files. With these cmdlets, you can manage files and file 
paths as well as work with the contents of files. 

• Using DOS commands. PowerShell is fully compatible with DOS 
commands. Hence, anything that you can do using DOS, you can 
do with PowerShell. Even the useful xcopy command is recog¬ 
nized by PowerShell. 

• Using WMI. WMI offers yet another mechanism for managing 
files (e.g., changing file properties, searching or renaming a file). 
Best of all, you can run WMI commands remotely. 

• Using Microsoft .NET Framework methods. The .NET System.10 
namespace is available through the PowerShell command line. 
These include the System.lO.File and System.lO.FileInfo classes. 


In this discussion, ITl concentrate on the cmdlets geared specifically 
toward files.The cmdlets you can use for working with files include: 

• Get-Childitem 

• Get-Item 

• Copy-Item 

• Move-Item 



Rob 

Gravelle 


resides in Ottawa, Canada, 
and is the founder of 
Gravelle Web Design. Rob 
has built systems for 
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Border Services and for 
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• New-Item 

• Remove-Item 

• Rename-Item 

Using the Get-Childltem Cmdiet 

The Get-Childitem cmdiet retrieves the items found within one or 
more specified locations. A location can be a file system container, 
such as a directory, or a location exposed by another provider, such 
as a registry subtree or certificate store. You can use this cmdlet’s 
-Recurse parameter to get items in all subfolders as well. 

Used without parameters, the Get-Childitem cmdiet retrieves all child 
items (i.e., subfolders and files) in the current location. For example, if 
your current location is the H root directory and you run the command 

Get-ChiIditem 


you’ll get results similar to that shown in Figure 1. 


Figure 1 

Running 
Get-Childltem Without 
Any Parameters 


Directory: H:\ 


Mode 

LastwriteTifne 

Length Name 

d--- 

S/lO/201! 5:16 PM 

Desktop 

d-r— 

1/27/2004 12;01 AM 

Favorites 

d-r— 

1/27/2004 2:44 AM 

Start iHenu 

d- 

12/2/2003 7;40 PM 

WINDOWS 

d- — 

1/27/2004 12:24 AM 

workspace 


By using parameters, you can hone in on the information you need. 
For example, the following command retrieves all the .log files in the 
G root directory, including subdirectories: 

Get-Childltem C:\* -Include *.log -Recurse -Force 

As you can see, this command uses the -Include, -Recurse, and -Force 
parameters. You use the -Include parameter to retrieve specific items. 
It supports the use of wildcards and is ideal for specifying a filename 
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extension. The -Recurse parameter directs PowerShell to retrieve sub¬ 
folders in addition to files. The -Force parameter adds hidden files 
and system files to the output. 

Note that, when you run this command, you’ll probably get a 
bunch of access denied errors. Depending on your machine’s secu¬ 
rity settings and policies, some directories (e.g.. Recycle Bin, Start 
menu, user folders) are restricted and can’t be read. You can sup¬ 
press these errors by including the -ErrorAction SilentlyContinue 
parameter. 

The following command will produce the same results as the previ¬ 
ous one because the -Path parameter accepts wildcards: 

Get-ChiIditem -Path C:\*.log -Recurse -Force 

With some PowerShell cmdlet parameters, you can omit the param¬ 
eter name if you supply that parameter in the position expected by 
PowerShell. That’s the case with the Get-Childitem cmdlet’s -Path 
parameter. So, the following command would produce the same 
results as the previous command: 

Get-ChiIditem C:\*.log -Recurse -Force 

The -Path parameter can accept multiple arguments, separated by 
comma. For example, suppose that you want to retrieve the .log files 
from two locations: the C root directory and the H root directory, 
which is the current directory (i.e., the default location). To accom¬ 
plish this, you need to include the argument C:\* to get all the log 
files from the C root directory and the argument * to get all the log 
files from the H root directory. (Because the H root directory is the 
default location, you don’t need to include H:\.) You need to separate 
the two arguments with a comma, like this: 

Get-Childitem C:\*, * -Include *.log -Force 
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In the sample results in Figure 2, notice the “h” attribute in the 
Mode column for the H root directory. This attribute denotes that 
the ntuser.dat.LOG file is hidden. It shows up because the -Force 
parameter was used. 


Figure 2 

Running Get-Childitem 
with Parameters 


Dirictor/: C:\ 



Mode 

Lastin'teTim* 

Length 

Name 

-a— 

-a— 

27/2004 lit26 AW 
6/15/2004 1:54 PW 

1034 

0 

Autosetup. Vog 
Dpssetup.log 

Directory: H:\ 



Mode 

LastViriteT-fme 

Length 

Name 

-a-h- 

1/27/2004 1:0S AM 

1024 

ntusflr.dat.LOG 


Although not shown in these examples, you can refer to Get-Childitem 
by aliases. There are three built-in aliases: dir (like the DOS dir com¬ 
mand), gci, and Is (like the Is UNIX command). 

Using the Get-Item Cmdiet 

The Get-Item cmdiet retrieves the specified items from the speci¬ 
fied locations. Like Get-Ghilditem, Get-Item can be used to navigate 
through different types of data stores. Unlike Get-Childitem, Get-Item 
doesn’t have a default location, so you must always supply at least 
one location using the -Path parameter. Although the parameter is 
required, including the parameter name isn’t. For example, here’s a 
simple command that uses a period to retrieve information about the 
current directory (the H root directory in this case): 

Get-Item . 

Figure 3 shows the results. 

The Get-Item cmdiet lets you use the wildcard character * to return 
all the contents of the item (i.e., all the child items). For example, 
the following command returns all the contents of the current direc¬ 
tory (the H root directory in this case). Both the period and asterisk 
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Figure 3 

Using Get-Item to 
Retrieve Information 
About the Current 
Directory 

characters can be used as components in a path, but you must still 
include backslash folder separators: 

Get-Item .\* 

You can see the results in Figure 4. 

Figure 4 

Using Get-Item 
to Return All the 
Contents of the 
Current Directory 


Directory: Hi\ 


Mode 

LastwriteTifrie 

Length Name 

d— — 

S/10/2013 3:16 PM 

Da&ktap 

d-r— 

1/27/2004 12;01 AW 

Favorites 

d-r-- 

1/27/2004 2:44 AM 

Start Menu 

d— - 

12/2/2003 7:40 PM 

bi/IMDOVvS 

d - 

/27/2004 12; 24 aw 

workspace 


Pi rectory; 

Mode LastwHtflTim* Length Maine 

d-r- 201J-a7-3O 1:43 PM »t\ 


It’s important to understand that all PowerShell cmdlets, includ¬ 
ing the Get-Item cmdlet, return objects. The Get-Item cmdlet returns 
System.lO.DirectoryInfo objects, which contain numerous methods 
and properties you can use. To see those methods and properties, 
you can send, or pipe, the results of a Get-Item command to the Get- 
Member cmdlet. If you want to see only the properties, you can run 
the command: 

Get-Item . | Get-Member -MemberType Property 

As you can see in Figure 5, there are many properties, including the 
LastAccessTime property, which returns the date and time when the 
specified directory was last accessed. 

For instance, if you want to find out when the current directory was 
last accessed, you’d run the command: 
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(Get-Item .).LastAccessTime 


In this command, notice that the Get-Item . call is enclosed in paren¬ 
theses and that there’s a period between the closing parenthesis and 
LastAccessTime. The parentheses around the Get-Item . call cause 
the returned objects to be stored in memory so that you can per¬ 
form additional operations on them. In this case, the operation is the 
retrieval of the returned object’s LastAccessTime property value. In 
PowerShell, you use the dot notation to access object member prop¬ 
erties and methods, which is why you need to include the period 
between the closing parenthesis and LastAccessTime. 


Figure 5 

Learning About the 
Properties of the 
System.lO.DirectoryInfo 
Object 


TypeNawe: s yst em. 10 k Di r ect or ylnfo 


MetfiberTypa 

Oefi nition 

Attributes 

CreatlonTime 

CreatloriTimeUtc 

Exists 

Extemslcn 

FullNawe 
LastAccassTime 
LastAccassTlmautc 
Last wri ten rne 
LastwriteTirneutc 
Naitie 

Parent 

Root 

Property 

Property 

Property 

Property 

Property 

Property 

Property 

Property 

Property 

Property 

Property 

Property 

Property 

sy St erti. 10 i Pile Attributes Attributes {get e set 3 } 
systeffi.DateTlfflo CreatlonTime {gets set e 1 
system, DateTl me creatlonTimeUtc {gets set e} 
system.Boolean Exists {gets} 
system.string Extension {getO 
system.string FullName {gets} 
system.DateTlfite LastAccessTiifie {get;sets) 
system,DateTlme LastAccessTirneutc {get;sets} 
System.DateTlitte LastwrlteTlme {get e set;} 
system.DateTlme Lastwriterlmeutc {get e set 3 } 
system.string Nan^ {get;} 
System.lO.DirectoryInfo Parent {get:} 
System.lO.DirectoryInfo Root {gets} 


There’s a collection of special properties named NoteProperty that 
you can use to narrow your output to a particular type of object. You 
can use the Get-Member cmdlet with the -MemberType NoteProperty 
parameter to learn about the special properties in this collection: 


Get-Item . | Get-Member -MemberType NoteProperty 

If you run this command, you’ll find that the collection returns six 
properties: PSChildName, PSDrive, PSIsContainer, PSParentPath, 
PSPath, and PSProvider. The PSIsContainer NoteProperty tells you 
whether the object is a container (i.e., a directory). It returns True 
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when the object is a directory and False when it’s a file. You can use 
this property to limit the Get-Item cmdlet’s output to directories: 

Get-Item C:\* | Where-Object { $_.PSIsContainer } 

Let’s take a closer look at this command, whose results are in Fig¬ 
ure 6. First, you’re piping all the contents of the C root directory to the 
Where-Object cmdlet, which lets you filter objects. In this case, you’re 
using the PSIsContainer NoteProperty to filter the output so it returns 
only directories. The $_ automatic variable represents each file object 
as it is passed to the command through the pipeline. If you’re unfa¬ 
miliar with how to use the Where-Object cmdlet, see “PowerShell 
Basics; Filtering Objects.” 

Figure 6 

Limiting the Get-Item 
Cmd let's Output to 
Directories Only 


Directory: C:\ 



LaatwritfiTirrw 

Length Nama 

dl”. 

1/27/2004 12:02 AN 

Documants and settings 

d- 

1/27/2004 12: 3S AN 

Downloads 

d-r- 

1/27/2004 12:22 AN 

PrograiTS Files 

d- 

1/27/2004 1:53 AN 

temp 

d—- 

1/26/2004 U:01 PN 

WINDOWS 


Like Get-Childitem, you can refer to Get-Item by an alias. Get-Item 
has one built-in alias: gi. 

Using the Copy-Item Cmdlet 

The Copy-Item cmdlet is PowerShell’s implementation of the DOS 
copy command and the UNIX cp command, except that Copy-Item 
is designed to work with the data exposed by any provider. The 
cmdlet’s first two parameters are -Path (which you use to specify the 
item you want to copy) and -Destination (which you use to specify 
where you want to copy that item). They’re positional so the param¬ 
eter names can be omitted. For example, the following command 
copies the test.txt file in the C:\Scripts folder to the C:\Backups\ 
Scripts folder: 
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Copy-Item C:\Scripts\test.txt C:\Backups\Scripts 

The -Path parameter accepts wildcards, so you can copy multiple 
files at once. For example, this command copies all the files in the 
C:\Scripts folder to the C:\Backups\Scripts folder: 

Copy-Item C:\Scripts\* C:\Backups\Scripts 

To get more fine-grained control over a copying operation, you can use 
the -Recurse, -Filter, and -Force parameters. For instance, the following 
command copies all .txt files contained in C:\Scripts to C:\Temp\Text: 

Copy-Item -Path C:\Scripts -Filter *.txt -Recurse 
-Destination C:\Temp\Text 

Note that the backtick at the end of the first line is PowerShelFs line 
continuation character. 

With a little wrangling, you can plug the FullName property into 
the -Path parameter to copy a carefully compiled list of file objects 
using either the Get-Item or Get-Childitem cmdlet: 

Get-ChiIditem C:\* -include *.txt | 

Where-Object { $_.PSIsContainer -eq $false -and 
$_.LastAccessTime -gt ($(Cet-Date).AddMonths(-l))} | 
ForEach-Object { Copy-Item $_.FullName C:\Temp} 

This statement is really three separate commands combined. The first 
command (i.e., the command on the first line) retrieves all the .txt 
files in the C root directory. The second command (i.e., the command 
on the second and third lines) then whittles down the list of text 
files so that it contains only the file objects whose LastAccessTime 
property is greater than one month ago. The third command (i.e., the 
command on the last line) inserts each filename into the Copy-Item’s 
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-Path property using the ForEach-Object cmdlet. If you’re unfamiliar 
with how to use the ForEach-Object cmdlet, see “PowerShell Basics; 

Filtering Objects.” 

Too complicated for your tastes? You’ll be happy to know that 
you can accept input from the pipeline. Just be sure to include the 
-Destination parameter name so that Copy-Item knows what to do 
with the input, because that parameter isn’t in the expected position: 

Get-ChiIditem C:\* -Include *.log | 

Copy-Item -Destination C:\Temp 

Although not shown in these examples, you can refer to Copy-Item by 
aliases. There are three built-in aliases: copy, cp, and cpi. 

Using the Move-Item Cmdlet 

The Move-Item cmdlet is similar to the Copy-Item cmdlet. In fact, if 
you replace Copy-Item with Move-Item in any of the commands in 
the previous section, the commands will behave in much the same 
way, except that the original files will be deleted in the source folder. 

However, there’s one notable difference. If you run the same 
Copy-Item command twice, you’ll find that PowerShell overwrites 
the existing file in the destination folder without any warning. The 
Move-Item cmdlet is more cautious is this regard and will throw an 
error instead. For example, if you run the command 

Get-ChiIditem C:\* -Include *.txt | 

Where-Object 

{ $_.LastAccessTime -gt ($(Cet-Date).AddMonths(-l))} | 

ForEach-Object { Move-Item $_.Ful1Name C:\Temp} 

you’ll receive the error Cannot create a file when that file already 
exists. Using the -Force parameter will modify this behavior so that 
Move-Item overwrites the existing file. 
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In addition to the -Force parameter, you can use the -Recurse and 
-Filter parameters in your Move-Item commands to fine-tune them. 
For example, the following command moves the text files in the C:\ 
Scripts folder and its subfolders to the C:\Temp\Text folder. In this 
case, you need to include the -Destination parameter name because 
you’re not using that parameter in the position that PowerShell 
expects: 

Move-Item C:\Scripts -Filter *.txt -Recurse 
-Destination C:\Temp\Text 

Like Copy-Item, Move-Item has three built-in aliases. Those aliases 
are move, mv, and mi. 

Using the New-ltem Cmdiet 

The New-ltem cmdiet performs the dual role of directory and file 
creator. (It can also create registry keys and entries in the registry.) 
When you want to create a file, you need to include the -Path param¬ 
eter and the -ItemType parameter. As you’ve seen before, the -Path 
parameter is positional, so the -Path parameter name isn’t required as 
long as you specify the path and name (i.e., pathname) immediately 
after the cmdiet name. You must also include the -ItemType param¬ 
eter with the “file” flag. Here’s an example: 

New-ltem 'C:\Documents and Settings\Nate\file.txt' 

-ItemType "file" 

The -Path parameter can accept an array of strings so that you can 
create multiple files at once. You just need to separate the paths with 
commas. In addition, you need to put the -ItemType "file" param¬ 
eter first, which means you also need to include the -Path param¬ 
eter name because it’s no longer the first parameter after the cmdiet 
name: 
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New-Item -ItemType "file" -Path "C:\Temp\test.txt", 
"C:\Documents and Settings\Nate\file.txt", 

"C:\Test\Logs\test.log" 

If a file with the exact same pathname already exists, you’ll get an 
error. However, you can include the -Force parameter so that New- 
Item will overwrite the existing file. 

What’s really interesting about the New-Item cmdlet is that it lets 
you insert text into a file by means of the -Value parameter: 

New-Item 'C:\Documents and Settings\Nate\file.txt' 

-ItemType "file" -Force 

-Value "Here is some text for my new file." 

Remember to include the -Force parameter if the file already exists. 
Otherwise, you’ll receive an error. 

The -Value parameter can accept piped input, which is a great way 
to redirect the output of other cmdlets to a file. You just need to con¬ 
vert the output objects to a string using the Out-String cmdlet. (If you 
don’t do this, New-Item will create a new file for each object.) For 
example, this command retrieves information about all the files in the 
C root directory, converts the file information to a string, then writes 
that information to the H:\C Listing.txt file: 

Get-ChiIditem C:\* | Out-String | 

New-Item -Path "H:\C Listing.txt" -ItemType "file" -Force 

The New-Item cmdlet has only one built-in alias: ni. 

Using the Remove-Item Cmdlet 

The Remove-Item cmdlet does exactly what you’d expect: It perma¬ 
nently deletes a resource from the specified drive. By permanently, I 
mean that it doesn’t transfer the resource to the Recycle Bin. Hence, 
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Figure 7 

Receiving a Confirm 
Prompt When Using 

Remove-Item 

if you use Remove-Item to delete a file, there’s no way to retrieve it, 
other than through a file restore program. 

You specify which file to delete with the Remove-Item cmdlet’s 
-Path parameter. It’s positional, so you don’t need to include the -Path 
parameter name if the pathname immediately follows the cmdlet 
name. For example, here’s a command to delete the test.txt file previ¬ 
ously copied to the C:\Backups\Scripts folder: 

Remove-Item "C:\Backups\Scripts\test.txt" 

Let’s take a look at another example. The following command removes 
all the .txt files (as indicated by the -Include parameter) in the C:\ 
Scripts folder, except for any files that have the string value test any¬ 
where in the filename (as indicated by the -Exclude parameter): 

Remove-Item C:\Scripts\* -Include *.txt -Exclude *test* 

Being such an inherently dangerous tool, Remove-Item comes with 
a couple of fail-safes. First, if you attempt to delete everything from 
a folder that contains non-empty subfolders, you’ll get a Confirm 
prompt. For instance, suppose that C:\Scripts contains non-empty 
subfolders and you run the command: 

Remove-Item C:\Scripts\* 

You’ll be asked to confirm that you want to delete the non-empty 
subfolders, as Figure 7 shows. 

If you want to run a script that uses Remove-Item to delete the 
entire contents of a folder, including the contents in subfolders, you 

Conf 1 rm 



The Item at c:\scripts\test has children and the -recurse parameter was not specified, 
if you continue, all children will be removed with the iterrip Are you sure you want to continue? 
[V] ves [A] yes to All [n] no [l] no to All [s] suspend [7] Help 
(default IS 
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need a way to have Remove-Item run without any user interaction. 
The way to do that is to include the -Recurse flag. 

The Remove-Item cmdleTs second fail-safe is the -Whatif parame¬ 
ter. If you include this parameter in a Remove-Item command, Power- 
Shell will display what items would be deleted instead of actually 
deleting them. Due to the destructive nature of delete operations, it’s 
an especially good idea to try your Remove-Item commands with the 
-Whatif parameter first, like this: 

Remove-Item c:\* -Recurse -Whatif 


Figure 8 shows sample results. Note that your results might include 
an error statement along the lines of Cannot remove the item at C:\ 
Users' because it is in use. This occurs if the current working direc¬ 
tory is a subfolder of the directory you’re trying to remove (in this 
example, a subfolder under the C root directory). 


Figure 8 

Using Rennove-ltenn's 
-Whatif Parameter 


what if: Performing operatifHi "Remove Directory" on Target ^*C:\APP^'\ 

what if: Performing operaticsr "Remove Directory" on Target ''C:\fiest Practices”. 

what if: Performing operation "Remove Directory" on Target '"CiACOWFlG". 

what if; Performing operation "Remove Directory" on Target ''C:\DR1VERS". 

what if: Performing operation "Remove Directory" on Target '"C; 

what if; Performing operation "Remove Directory" on Target ”C:\PerfLogs". 

what if: Performing operation "Remove Directory" on Target ”C:\ProQram Files”, 

what if; Performing operation "Remove Directory" on Target ”C:\Pytnon23 "p 

what if: Performing operation "Remove Directory" on Target "C;\runtime-EclipseApplication", 

what if; Performing operation "Remove Directory" on Target ”C;Aspring-3p2 pO.MI”, 

what if; Performing operation "Remove Directory" on Target "C;ATEMP", 

what if; Performing operation "Remove Directory" on Target ”C;Ate5t". 

what if: Performing operation "Remove Directory" on Target "C:\test2". 

what if: Performing operation "Remove Directory" on Target "C:\User 5 ", 

what if; Performing operation "Remove Directory" on Target "C;Awindow5". 

what if; Performing operation "Remove File" on Target "c;\aLitoexec.bat". 

what if; Performing operation "Remove File" on Target "c:\config,sy 5 ”. 


When it comes to aliases, Remove-Item is in a league of its own. It 
has six built-in aliases: del, erase, rd, ri, rm, and rmdir. 


Using the Rename-Item Cmdiet 

The Rename-Item cmdiet is handy when you want to rename a resource 
within a PowerShell provider namespace. The Rename-Item cmdlet’s 
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first parameter is -Path and its second parameter is -NewName. As its 
name suggests, the -NewName parameter specifies the new name for 
the resource. It’s important to note that this parameter expects the name 
only, without the path. If Rename-Item detects a path, it’ll throw an 
error. For example, if you want to rename the C Listing.txt file in the H 
root directory to c_listing.txt, you’d run the command: 

Rename-Item -Path "H:\C Listing.txt" -NewName c_listing.txt 

Because -Path and -NewName are positional parameters, you can omit 
the parameter names as long as they’re in the expected positions: 

Rename-Item "H:\C Listing.txt" c_listing.txt 

One limitation of the Rename-Item cmdlet is that the -NewName 
parameter expects a single string without wildcards. However, you 
can work around this by iterating through items in a directory. You 
just need to pipe the Get-ChildItem cmdlet’s output to the -Path 
parameter and include the -NewName parameter. 

For example, here’s a command that iterates through all the files in 
the current directory and renames each file by replacing all the spaces 
in the filenames with underscores: 

Get-ChiIditem * | 

Where-Object { !$_.PSIsContainer } | 

Rename-Item -NewName { $_.name -replace ' ',} 

Let’s go through how this command works. The Get-ChildItem cmdlet’s 
output is piped to the Where-Object cmdlet, which filters the output 
so it returns only files. This is achieved by using the PSIsGontainer 
NoteProperty with the -not (!) logical operator. (Alternatively, you could 
use $_.PSlsCoTitainer -eq $false, like was done in a previous example.) 
The filtered output (i.e., the file objects) is piped to the Rename-Item 
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cmdlet. The value of Rename-Item’s -NewName parameter is a script 
block. This script block will be executed before the Rename-Item cmd¬ 
let is executed. In the script block, the $_ automatic variable represents 
each file object as it is passed to the command through the pipeline. 
The -replace comparison operator replaces the spaces in each filename 
(' ') with the underscore character Note that you could also use 
the expression '\s' to target spaces because the first parameter accepts 
regular expressions. Even hidden files can be renamed, thanks to the 
-Force parameter. 

The Rename-Item cmdlet has two built-in aliases. Those aliases are 
ren and mi. 

The Magnificent 7 

In this tutorial, you learned about all the ways that PowerShell can 
interact with files. In particular, you examined PowerShell’s built-in 
cmdlets for working with files, which includes the Get-Childitem, 
Get-Item, Copy-Item, Move-Item, New-Item, Remove-Item, and 
Rename-Item cmdlets. ■ 
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ComiviVault's Best-Kept Secret to Success: Microsoft 

CommVault"Bet the Company" on Windows over a decade ago; now Microsoft ups the ante with 
CommVault to assist in the adoption of Windows Azure with Windows Server. 


Q: What is the origin of CommVault? 

A: Randy (CommVault)—CommVault was part of AT&T/Network Systems and had the original charter of quickly restoring complex 
AT&T phone systems to a point in time. CommVault's first product was delivered in 1989, and that old UNIX-centric solution was 
modified to a fast-recoverable device in 1990. 

Q: Back in the 1990s, AT&T was almost solely focused on UNIX. How did CommVault move to Microsoft 
technologies and other heterogeneous support? 

A: Randy (CommVault)—Support for heterogeneous products, most notably Microsoft and Banyan technologies, was added in 
1994. We learned how important it was to enable the enterprise to manage data in a granular fashion—especially for Microsoft 
Exchange and Banyan Mail. We were learning important requirements in addition to quick restores, but we were challenged by 
the UNIX platform tied to expensive hardware with massive porting investments. 

Q: Rebuilding a company and product from the ground up takes a lot of risk. Why did you believe 
CommVault could be successful? How hard was it to turn the company on a dime? 

A: Bob (CommVault)—It was not a hard decision. First, CommVault's odds of success with the underlying architecture of the AT&T 
product were essentially zero. I felt someone could create a very successful enterprise by building a company with a data-centric 
view versus just backup and restore, but it would have to be built on a completely new architecture. 

Q: How did CommVault work with Microsoft in those early bet-the-company days? 

A: Bob (CommVault)—We felt the console of our new heterogeneous platform should be Windows Server-based for three rea¬ 
sons. First, as a new entrant into the market we needed a unique entry point to the market, and we decided to do that with leading 
Windows Server solutions since all the market leaders were UNIX-based and none had good products for Windows. Second, Windows 
Server was the fastest growing OS for businesses. And third, we believed that having Windows Server services like Active Directory at 
the top of the stack would be a strategic advantage. 

Eric (Microsoft)—Microsoft believed that Windows 2000 Server and follow-on releases would be the platform of choice for busi¬ 
nesses. We were happy to add a partner that used Windows Server as the platform for heterogeneous data management. Microsoft's 
commitment to openness continues today with the Windows Server platform, and is evolving into the cloud with Windows Azure. 

Q: So back in the days of Windows NT and Windows 2000 Server, you decided to rebuild a software-only 
solution for Microsoft's young Server OS. What was behind that decision? 

A: Randy (CommVault)—In addition to what Bob said, from 1994 through 1999, a majority of CommVault's business was coming 
from enterprises using Microsoft technology, and we believed it was a lot easier for those customers to integrate a Windows Server 
software solution rather than a UNIX-based hardware one. Building on Windows Server significantly streamlined our testing cycles, 
freeing up developers to put in new features that our customers were asking for. 

Bob (CommVault)—Once we had developed the first version with our new Windows-based console, Randy De Meno told his friend, 
Jim Allchin, what we were doing. Jim was impressed, interested. After we presented our vision to Jim and his staff, Microsoft become 
the first major investor to support the development of our new strategy. That investment was critical to the early development of 
the company. 

Q: Fourteen years later, the relationship with Microsoft seems to have been successful, but back in the 
1990s, why did you build up your relationship with CommVault? 

A: Eric (Microsoft)—We liked their vision and willingness to collaborate on Simpana with Windows Server being their platform of 
choice. Their vision was supported by their people and ability to execute. Aside from CommVault's obvious financial success, we've 





seen the company grow to about 1800 employees, and that growth centers on a product that uses Windows Server and SQL Server 
as the console for its platform. It's a great example of working with Microsoft over the past two decades. 

Q: For Microsoft, what examples from your work with CommVault can you pass on to other partners 
wanting to succeed in the Microsoft partner community? 

A: Eric (Microsoft)—Talk to us. We're always looking to collaborate with partners to extend our operating systems and applica¬ 
tions. Customer success is our highest concern, and partners help customers succeed. 

Mike (Microsoft)—It's been great to see the focus and intensity the CommVault sales force brings in helping our mutual cus¬ 
tomers improve the efficiencies of data management. We respect CommVault's history of delivering a Microsoft-centric software 
solution and their expertise. 

Fran (Microsoft)—When a small cloud storage vendor recently went out of business, we were asked to help its customers. We 
worked with CommVault to rapidly support and migrate that company's customers to Windows Azure. This allowed these cus¬ 
tomers to remain within their compliance and E-Discovery requirements. There were a lot of moving parts behind the scenes at 
high levels within both CommVault and Microsoft, but at the end of the day, the customers were safely and efficiently moved. 
We had key senior developers creating solutions on the fly. It was a classic example of the deep knowledge both CommVault and 
Microsoft have of each other's technology and expertise. 

Q: For CommVault, what keys have made collaborating with the largest software company on the 
planet work? 

A: Randy (CommVault)—Keeping it simple for Microsoft to work with us. We streamlined a rather small (by comparison), but 
technically strong team. We try to make it easy for Microsoft to contact us. This foundation has improved our engagement model 
and strengthened our solutions for customers. This is one of the primary reasons for our growth over the past 15 years. 

Q: Can you provide some examples of how customers benefit from the CommVault/Microsoft collaboration? 

A: Randy (CommVault)—The Release Independence we built into Simpana constantly benefits our customers. Customers can 
have confidence in upgrading to the latest versions of Microsoft Exchange, SharePoint, SQL Server, Windows Server, etc, and 
know they can easily search for and retrieve data from the previous version. We have a vested interest in helping customers 
upgrade since we can take advantage of the latest and greatest APIs in the various new releases. 

Fran (Microsoft)—Being an executive sponsor for CommVault for several years, it's always special to meet their customers at 
Executive Briefings. We gain insight into how to improve Microsoft technologies while providing joint solutions. 

Mike (Microsoft)—I've met thousands of CommVault customers and partners over the past year, and they all share the same 
passion for CommVault and Microsoft and look forward to us improving what we're already delivering. The many "Unleashed" 
seminars we've done around the world where we often have 50-100 attendees in each city, gives our customers the ability to 
offer feedback and suggest what features they want to see from CommVault and Microsoft. 

Q: Windows Azure and Windows Server with Hyper-V are the latest advances from Microsoft; how have 
you worked together to enhance the customer's experiences by offering Simpana? 

A: Randy (CommVault)—We've used the same cadence we've used over the past 15 years: Microsoft identifies key technolo¬ 
gies, and we collaborate on how to add value. 

Eric (Microsoft)—Communication. The same team we supported 15 years ago is still the same one we're innovating with today. 
We believed in CommVault's people and their concept. 

Fran (Microsoft)—CommVault's ability to assist our customers in upgrading helps enable them to fully take advantage of the 
latest benefits of Windows Azure and Windows Server 2012 R2 with Hyper-V. CommVault adds E-Discovery capabilities for 
Windows Azure to help our customers run their business in Windows Azure. 

Q: How is CommVault continuing to use Windows Server as the platform to build Simpana for the future? 

A: Randy (CommVault)—We'll simply continue to listen to Microsoft about where their technology is going, then innovate 
and extend on their platform to add value for our mutual customers. 
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M icrosoft System Center 2012 App Controller is a brand new 
addition to the management product. Whereas all the other 
System Center 2012 components are upgrades to existing 
products, App Controller has been written from scratch. The com¬ 
ponent provides a rich, web-based environment that end users can 
use to create, manage, and connect to services and virtual machines 
(VMs). These VMs can be in private clouds that are managed with 
System Center 2012 Virtual Machine Manager (VMM), in Windows 
Azure Infrastructure as a Service (laaS), or hosting partners’ Microsoft 
Service Provider Framework (SPF). Azure laaS and SPF support were 
added to App Controller in System Center 2012 Service Pack 1 (SPl). 
You might be wondering when to use the VMM self-service portal and 
when to use App Controller. The answer is to always use App Control¬ 
ler. The VMM self-service portal has been removed in VMM 2012 SPl. 

This article focuses on App Controller in System Center 2012 SPl, 
which broadens the component’s capabilities and adds support for 
Windows Server 2012 (via the VMM component). I definitely recom¬ 
mend deploying SPl. Also make sure to download and apply the 
Update Rollup 1 for VMM and App Controller. This update addresses 
some significant issues. 

App Controller is supported on Windows Server 2012 and Win¬ 
dows Server 2008 R2 SPl. However, if you are installing App Control¬ 
ler on the same server as the most recent version of VMM, then you 
must use Windows Server 2012. (VMM no longer supports Windows 
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Server 2008 R2.) App Controller leverages its own database to store 
configuration information; this database can be SQL Server 2012, SQL 
Server 2008 R2, or SQL Server 2008 SP2. 

As previously noted, App Controller is often deployed on the same 
server as VMM. The components work together closely. But in large 
environments that require greater scalability, App Controller can be 
deployed on its own OS instance. App Controller can be made highly 
available or can be load-balanced by using any of several available 
mechanisms. First make sure that the SQL Server database is part of 
a highly available SQL Server cluster. For the App Controller server, 
either make the App Controller VM highly available or deploy mul¬ 
tiple App Controller instances that use the same SQL Server database 
and share a common encryption key. 

Installing App Controller 

The installation of App Controller is simple. Most of the actual config¬ 
uration, in terms of users and available resources, comes from VMM. 

This means that before deploying App Controller, it’s important to 
deploy VMM and create clouds of resources and defined tenants (i.e., 
groups of users with various rights and quotas for those clouds). 

These fundamental building blocks enable App Controller to integrate 
with on-premises virtual environments. It’s also necessary to create 
VM templates (and, optionally, to create service templates), because 
these are how users deploy environments through App Controller. 

Your App Controller administrators must also be VMM administra¬ 
tors. The account you use to install App Controller must be a member 
of the local Administrators group on the server and will become the 
first App Controller administrator. 

The actual installation of App Controller is documented in the 
TechNet article “Installing App Controller” and is intuitive because 
there are so few installation options. As long as your SQL Server 
deployment is available for use by App Controller and your server meets 
requirements, the only change that you might want to make to the 
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standard installation is to use a trusted SSL certification. This option is 
preferred over a self-signed certificate generated by the install process, 
so that users don’t get warnings that the certificate is not trusted. 1 
definitely recommend against using the self-signed certificate, unless 
you’re using App Controller in a limited test environment. 

After the App Controller installation is complete, make sure to 
install the Update Rollup 1 for App Controller (and for VMM). Then 
run Windows Update to check for any post-rollup hotfixes. 

The only configuration that you must perform is to connect App Con¬ 
troller to the VMM instance. To do so, log on to the App Controller 
website, which takes the form https:// < App Controller Server >. Next, 
choose the Settings navigation node and the Connections child naviga¬ 
tion node. Choose the Connect, SCVMM action, as shown in Figure 1. 


Figure 1 

Connecting App 
Controller to VMM 



This action launches the Add a new VMM connection screen. Enter 
a name for the new VMM connection, a description, and the VMM 
server name. (Remember, you should be logged on as an administra¬ 
tor for both App Controller and VMM.) 

You’ll notice that a Windows Azure connection exists by default. 
This connection allows the addition of Windows Azure subscriptions 
to App Controller. Also note the option to add a Service Provider, which 
can be a company that offers VM hosting and has implemented the 
SPF so that it can be managed via App Controller. Think of the SPF as 
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exposing the hoster’s own VMM deployment to your on-premises App 
Controller. The hoster must give you the Uniform Resource Identifier 
(URI) for your tenant ID in their environment to complete the connec¬ 
tion from App Controller. 

If your organization uses Windows Azure, then add those subscrip¬ 
tions to App Controller by navigating to the Clouds view and using the 
Connect, Windows Azure Subscription action (or use Settings, Connec¬ 
tions, Add). To link to Windows Azure, you must have created a man¬ 
agement certificate, which must be imported into the Windows Azure 
subscription and be available for importing into App Controller as part 
of the process of connecting App Controller to Windows Azure. I detail 
the whole process, including how to create and use the certificate, in 
the FAQ “How do I create a certificate to enable System Center App 
Controller to manage Windows Azure?” 

Under the Settings navigation node is the User Roles child node. In 
User Roles view, you can configure additional App Controller admin¬ 
istrators by adding members to the Administrators built-in user role. 

If you added Windows Azure subscriptions or connections to SPF 
hosters, then additional user roles can also be created to control App 
Controller user access to those subscriptions and services. Otherwise, 
these subscriptions and services can’t be controlled through your on¬ 
premises VMM instance, which only manages the on-premises pri¬ 
vate cloud infrastructure. 

Consider what you now have with App Controller: a single pane of 
glass that has access to your on-premises private clouds as defined 
and managed in VMM, to your Windows Azure subscriptions, and 
to your services at hosting partners that leverage SPF. Initially, most 
organizations will use App Controller for their on-premises private 
cloud management only. But the ability to grow App Controller’s 
reach can help organizations to embrace a hybrid cloud approach. 

Some customization of App Controller is possible. Changing the 
graphics for App Controller, as you can see in Figure 1, is easy. The 
logos are simply two image files (SC2012_WebHeaderLeft_AC.png 
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and SC2012_WebHeaderRight_AC.png) in the \%PROGRAMFILES%\ 
Microsoft System Center 2012\App Controller\wwwroot folder. Just 
back up and replace these images. Be sure that your replacement 
graphics are the same dimensions as the originals—287 x 44 and 
108 X 16, respectively—or they won’t work. 

All App Controller configurations are performed through the web¬ 
site; there is no separate management tool. Because the App Controller 
web interface is based on Microsoft Silverlight, the browser used must 
be a 32-bit browser that supports Silverlight 5. Therefore, you need to 
use Internet Explorer (IE) 8 or later. Other browsers don’t work at this 
time. If you are embracing Windows PowerShell, the PowerShell mod¬ 
ule for App Controller enables all the related key configurations. Run 
the following PowerShell command to see the available cmdlets: 

Get-Command -Module AppController 

Using App Controller 

App Controller is ready to use immediately after being connected 
to your cloud services. Users navigate to https://< App Controller 
Server > and log on using their domain credentials in a Forms Based 
Authentication (FBA) interface. You can also enable single sign-on 
(SSO), which removes FBA completely. 

After authentication, users see the clouds that have been defined in 
VMM and to which they have access, as well as their Windows Azure 
subscriptions and SPF services, in the Overview window. If a user is 
not a tenant (i.e., not part of any role that has rights) of a cloud that 
is defined in VMM, then the user does not see any private clouds in 
App Controller. Think of App Controller as an interface into the VMM 
configurations for the private cloud. The actual granting of rights is 
all performed through VMM. 

The App Controller interface is highly intuitive. Users can typically 
pick up its use very easily. Figure 2 shows a default view for users 
when they log on. 
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In this example, you can see that the user has access to one on¬ 
premises cloud and one Windows Azure subscription. For the on¬ 
premises cloud, App Controller shows the user’s current resource 
usage and remaining quota. Anytime a user deploys a new VM or 
service, App Controller shows the quota impact and ensures that the 
user cannot exceed the quota. Notice that for standard users, the 


Figure 2 

Overview Screen for a 
Standard User 
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Settings navigation node is not shown. Also, standard users’ recom¬ 
mended Next Steps are different from an administrator’s and are lim¬ 
ited to deploying a new service or VM. 

Clicking a cloud in the Overview window opens the Clouds view, 
which allows the deployment of services via the Deploy button. The 
deployment experience is one of the highlights of App Controller. 

When the deployment is initiated, the New Deployment page 

Figures opens. By default, this page shows the cloud that was selected when 

New Deployment Deploy button was clicked. Initially, the only possible configura- 

Screen , , , 

_ tion IS to select a template, as shown m Figure 3. 



This template is a composite view of all the initial options, depend¬ 
ing on the selected cloud. The available templates depend on which 
cloud is being deployed to and which templates the user has access 
to. If I deploy to Windows Azure, I get the standard list of Azure tem¬ 
plates and any custom ones that I might have added. If I deploy to my 
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on-premises private cloud, I see the templates and services available 
for my user role. 

After a VM is selected, configuration is possible. For example, you 
can name the VM and perhaps perform some customization, depend¬ 
ing on the selected template. If you have defined service templates— 
scalable, multi-tiered complete services that are designed within 
VMM—and made them available to the tenant, then selecting a ser¬ 
vice results in a rich view in App Controller, as shown in Figure 4. 


New Deployment 
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This view allows all the VMs for the initial service deployment to 
be configured and deployed. However, no configuration is necessary. 
Default VM and computer names are automatically generated for all 
the VMs that are deployed as part of the service. 

I say the initial deployment because the whole point of service tem¬ 
plates is that each tier can have a variable number of VMs, depending 
on load. App Controller deploys the initial number of VMs that are 
defined for each tier, but that number can grow or shrink as the ser¬ 
vice runs. App Controller allows the addition of VMs for a deployed 


Figure 4 

Sample Deployment of 
a Three-Tiered Service 
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service via the Scale Out action, which is available from the diagram 
view of a deployed service. (To scale in a tier of a service, manually 
delete VMs; there is no specific Scale In action.) 

After all customization is complete, click the Deploy button to cre¬ 
ate a deployment job. If the deployment is to a private cloud, then 
the job is created in VMM. If the deployment is to Windows Azure, 
then the job is created in Windows Azure. Deployments to an SPF 
hosted cloud are created on the SPF infrastructure. Whatever the tar¬ 
get, the user’s deployment experience is the same, and the deploy¬ 
ment progress can be seen in the Jobs view. The actual deployment 
time depends entirely on the size and number of VMs that make up 
the deployment and the service being deployed to, but the progress 
can be tracked in detail by using the Jobs view. 

After the services and VMs are deployed, they can be viewed by 
using either the Services or Virtual Machines view. For now. I’ll focus 
on the Virtual Machines view, which is the primary way that most 
companies will use App Controller in the near term. (I do strongly 
encourage you to look at service templates in VMM, because they 
provide some amazing capabilities in terms of scalability and manage¬ 
ability.) The Virtual Machines view shows all the provisioned VMs, 
the VMs that are stored in the library that the current user owns, and 
the VMs to which the user has been given access. Default actions for 
VMs—Startup, Shutdown, Pause, Turn Off, Save, Store, Mount image. 
Remote Desktop, and Console—are available, as Figure 5 shows. 

If the Properties option is selected, then additional options, such 
as configuring access for other users and creating and applying snap¬ 
shots, are available. Remember that the available actions depend on 
which actions are granted to the user. Take some time to look around 
the App Controller interface, both as an administrator and as a regu¬ 
lar user. Be sure to look at the information and options for the Library 
and Jobs views. 

Although App Controller provides huge benefits from a single 
view for all virtualization services that an organization uses, it also 
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opens up some great hybrid capabilities. You can deploy VM tern- Figures 
plates stored on-premises in VMM to Windows Azure. You can take Available Actions 

a VM that is stored in the VMM library and deploy it to Windows forVMs 
Azure; this is how you migrate a VM from on-premises Windows 
Hyper-V to Windows Azure. There is no live migration functional¬ 
ity. You must stop the VM running on-premises and save it in the 
library, using the Store action, before it can be deployed to Win¬ 
dows Azure by using the Copy action. To bring a VM back from 
Windows Azure, you must copy the virtual hard disks (VHDs) from 
Windows Azure into your VMM library, then redeploy. Another 
option for VM migration between on-premises and Windows Azure 
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is to use System Center 2012 Orchestrator, which offers more flex¬ 
ibility and power to the migrations. 

One important point to note is that at the time of writing, Windows 
Azure does not support the VHDX format. Therefore, the only VMs that 
you can move to Windows Azure or templates that you can deploy to 
Windows Azure from on-premises libraries are those that exclusively 
use VHD. If there are any VHDX files in the VM or template, then the 
option to deploy or copy to Windows Azure is unavailable. 

Management Made Easy 

I’ve focused on end-user self-service, but the reality is that you might 
not want to enable end-user self-service yet. App Controller is still 
useful as a tool for administrators to deploy and perform web-based 
management of VMs, although administrators have other options, 
such as the VMM console and Orchestrator. I’ve created a short video 
to quickly walk you through the key App Controller experience. 

One question often comes up when discussing App Controller: How 
can you enable workflows within the VM provisioning process? For 
example, suppose you want users to be able to request a VM, but you 
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want a manager to approve the request first. There is no workflow or 
approval capability in App Controller. Its goal is to allow users to cre¬ 
ate and manage within the confines of the resources and quotas that 
have been assigned to them. This is enough for many organizations. 

If you require workflow authorization, then you should use the Sys¬ 
tem Center 2012 Service Manager Service Catalog capability, which 
I cover in the article “What’s New with Service Manager 2012 SPl.” 

In that case, the Service Manager web portal is used to request new 
VMs and even new clouds (along with any other type of resources in 
the organization). App Controller is then used to manage and interact 
with the created VMs. The use of two web interfaces is not ideal, but 
there is a clear distinction when you use Service Manager to request 
resources and App Controller to manage and interact with them. 

App Controller is a great web interface for consistently managing all 
types of cloud services in your organization. It’s important to remem¬ 
ber that for private clouds, App Controller simply surfaces the clouds 
that are created in VMM, so the back-end virtualization is not limited 
to Hyper-V. VMM also provides private cloud capabilities to VMware 
ESX and Citrix XenServer, so you can gain the private cloud capabili¬ 
ties of VMM, App Controller, and the entire System Center 2012 suite, 
even when you don’t use Hyper-V. ■ 



Learning Path 


"What's New with System Center 2012 Service Manager SPl" 
"Understanding Microsoft System Center 2012 Licensing" 
"Understanding System Center 2012 Configuration Manager" 

"Getting Started with System Center 2012 Orchestrator" 

"Learn What System Center 2012 Operations Manager Can Do for You" 
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FAQ 

Answers to Your Questions 


Q a How can I see all the certificate revocation 
■ lists—even those that are expired—issued by 
my Windows Certification Authority? 

A m In Windows Server 2003 and earlier, the Windows Certifica- 
■ tion Authority (CA) keeps a copy of all certificate revocation 
lists (CRLs), including those that have expired. In Windows Server 
2008 and later, the Windows CA deletes the expired CRL by default 
when a new CRL is issued. However, you can preserve expired CRLs 
by using the Certutil command-line utility. Just run these commands: 

certutil -setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS 
net stop certsvc 
net start certsvc 



John Savill 



To look at the CRL information stored on your CA, you can use this 
command: 


certutil -view -out "CRLThisPublish,CRLNumber,CRLCount" CRL 
Figure 1 shows sample results. 

The Microsoft Management Console (MMC) Certification Authority 
snap-in won’t display the CRL history by default. You can change this 
behavior if you start the Certification Authority snap-in with the /e 
switch, as follows: 

certsrv.msc /e 
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Figure 1 

Reviewing CRL 
Information from the 
Command Line 


Figure 2 

Reviewing CRL 
Information from the 
Certification Authority 
Snap-In 
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Afterward, the CRL history will be displayed, which Figure 2 shows. 

—Jan De Clercq 

Q a What are the steps to creating a virtual machine 
■ on Windows 8 Hyper-V? 

A m As you might recall, to enable Hyper-V on Windows 8, use 
■ the Control Panel Programs and Features applet, select Jhm 
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Windows features on or off, and choose the check box for the Hyper-V 
feature. After the Hyper-V feature is enabled on a Windows 8 machine, 
the usage and configuration is the same as for a server running 
Hyper-V. Hyper-V Manager will be installed and available and should 
be launched. You should then create a virtual switch, create virtual 
machines (VMs), and install OSs into the VMs. 

There is nothing special about the Windows 8 Hyper-V manage¬ 
ment, and the same processes you use for Hyper-V on a server can 
be used. I walk through some of the fundamentals in my article “Get¬ 
ting Started with Window Server 2012 Hyper-V,” which offers a good 
starting point. 

—John Savill 

Q a What is an acceptable number of virtual 

■ machines that can be managed through System 
Center 2012 App Controller? 

A m There’s no hard limit to the number of virtual machines 
■ (VMs) that can be managed through System Center App 
Controller, although I have found that the interface typically starts to 
slow down when reaching over 2,000 VMs. I have also seen environ¬ 
ments with 20,000 VMs; however, they tend to have some serious 
performance issues. 

The specific App Controller limits are detailed at Microsoft’s Sys¬ 
tem Requirements for App Controller in System Center 2012 Service 
Pack 1 (SPl) website. However, these limits relate to numbers of man¬ 
agement servers, concurrent uses, and more, and they don’t provide 
an actual number of VMs that can be managed. 

—John Savill 

Q m Two unknown devices on my Windows Server 
■ 2012 R2 Hyper-V virtual machines aren’t running 
the Windows Server 2012 R2 guest OS. Is this a problem? 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / April 2014 91 









Ask the Experts 


A 


A m This is actually normal. There are several new features in 
■ Windows Server 2012 R2 Hyper-V. Two of those features. 
Automatic Virtual Machine Activation (AVMA) and Enhanced Session 
Mode, require some virtual hardware. 

AVMA lets Windows Server 2012 R2 guest OSs automatically 
activate when running on an activated Windows Server 2012 R2 
Datacenter Hyper-V server. Enhanced Session Mode allows a richer 
Virtual Machine Connection experience such as clipboard redirec¬ 
tion by integrating with the Remote Desktop Protocol (RDP) stack 
in the guest. 

OSs earlier than Windows Server 2012 R2 don’t understand these 
features, which means they will see two pieces of unknown hard¬ 
ware, as Figure 3 shows. On a Windows Server 2012 R2 guest OS, 
there are no unknown devices—they show under System devices as 
Microsoft Hyper-V Activation Component and Microsoft Hyper-V 
Remote Desktop Control Channel, as Figure 4 shows. 


Figure 3 

Pre-Windows Server 
2012 R2 Device 
Manager Display 
Showing Unknown 
Device 
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Figure 4 

Windows Server 2012 
R2 Guest OS Device 
Manager Display 
Showing All Devices 
Labeled 


—John Savill 


Q a Where can I find the certificate revocation list 
■ and Online Certificate Status Protocol responses 
that are cached on my system’s hard disk? How can I 
easily view and manipulate the content of a user’s disk 
cache? 

A a The user-specific certificate revocation list (CRL) cache on 
a a system’s hard disk can be found in every user’s profile 
folder underneath the \%APPDATA%\Microsoft\CryptnetUrlCache 
folder. For the Windows System user profile, the CRL disk cache can 
be found in \%WINDIR%\System32\config\SystemProfile\Application 
Data\Microsoft\CryptnetUrlCache. (If you’re unfa mi l i ar with these CRL 
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caches, see “Understanding the Caching Mechanisms Used During 
Certificate Validation.”) 

To view and manipulate the content of the user-specific CRL cache 
on disk, you can use the Certutil command-line utility. Specifically, 
you need to use the certutil command with the -urlcache switch. 
For example, to display the content of your user account’s CRL disk 
cache, you run this command: 

certutil -urlcache CRL 

To display the content of the Online Certificate Status Protocol (OCSP) 
disk cache, use this command: 

certutil -urlcache OCSP 

To remove a CRL named < CRLFILE > from the disk cache (where 
CRLFILE will have a *.crl file extension), you run the command: 

certutil -urlcache <CRLFILE> delete 

To remove all CRLs from the disk cache, use this command: 

certutil -urlcache CRL delete 

To remove all OCSP responses from the disk cache, run the command: 
certutil -urlcache OCSP delete 

Note that Certutil can only look at the cache content of the user 
account with which you logged on. If you want to look at the cache 
content of another user account, you must use the mnas command 
or log on to Windows using that account. ■ 

—Jan De Clercq 
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Product News 
for IT Pros 

NetlQ CloudAccess 2.0 Delivers Improved SSO 
to SaaS Applications 

NetlQ announced NetlQ CloudAccess 2.0, the latest version of its 
single sign-on (SSO) virtual appliance that securely extends exist¬ 
ing lAM processes to include cloud-based SaaS applications. With 
CloudAccess 2.0, IT teams can more easily extend access controls 
beyond the firewall to SaaS applications to protect sensitive data and 
deliver a one-touch, consistent experience for users from their desktop, 
laptop, or mobile device. CloudAccess 2.0 extends the convenience 
and security of SSO that has been established for on-premises appli¬ 
cations to those in the cloud, helping organizations protect valuable, 
sensitive, or regulated information. It also delivers a secure yet sim¬ 
plified access experience to mobile users. Once users enter their PIN, 
they gain one-touch access to both web-based and native applications 
on iOS and Android devices, giving them anywhere, anytime access 
while on the go. For more information, please visit the NetlQ website. 

PanTerra Networks Announces SmartBox 

PanTerra Networks recently announced SmartBox, the world’s first file¬ 
sharing service with built-in unified communications (UC). SmartBox 
consolidates multiple cloud services into one, allowing mid-market 
enterprise customers to securely share, sync, and store files while 
seamlessly communicating and collaborating with users anywhere. 
The integrated service delivers ultra-high reliability and Quality of 
Service (QoS), as well as enterprise-grade security features to ensure 
that employees are always protected whether in the office, at home, 
or on their mobile device. By consolidating multiple services into 
one, mid-market organizations can realize total cost of ownership 


^ NetlQ. 
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(TCO) savings of up to 70 percent over multiple separate solutions. 
SmartBox seamlessly integrates real-time communication and col¬ 
laboration capabilities once information has been shared. By adding 
UC to store, sync, and share functionality, PanTerra gives enterprises 
a true competitive edge that increases productivity, reduces “sales 
friction,” and ultimately contributes to top-line revenue. For more 
information, visit the PanTerra Networks website. 


NETIKUS.NET Releases EventSentry 3.0 

NETIKUS.NET announced the general availability of EventSentry 3.0, 
a major upgrade to its log, compliance, and network-monitoring suite. 
The most significant improvement in version 3.0 is the completely 
new web-based reporting, which features a fresh new look, is platform 
independent (Windows, Linux, OS X), and offers a unique and com¬ 
pletely new way to look at data collected from your network. Mobile 
clients are also better supported, searching (event) logs supports com¬ 
plex queries, and dashboards are more flexible. The new jobs function¬ 
ality helps automate reporting tasks—for example, with the improved 
software/hardware inventory and warranty checks. Enhanced cross¬ 
platform capabilities are also available on the monitoring end: Any 
SNMP-enabled device can now be monitored as part of EventSentry’s 
heartbeat monitoring functionality. The EventSentry management con¬ 
sole also received a facelift and now features a ribbon, which simplifies 
many common tasks in EventSentry. For more information, visit the 
NETIKUS.NET website. 



DrVIdCtOUOflEiWORKS^ 


Device Cloud Networks Launches Next-Generation 
M2M Platform 

Device Cloud Networks (DCN) announced the launch of its global 
end-to-end enablement platform for enterprise machine-to-machine 
(M2M) solutions, delivering a next-generation comprehensive M2M 
platform that combines wireless connectivity, service provisioning, 
device management, and application enablement to simplify the 
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process of bringing wireless connectivity to products of any type. 
With the dynamic global Subscriber Identity Module (SIM) from 
DCN, connectivity can be embedded into an M2M device at the point 
of manufacturing, to create a single product SKU along with the 
required value-added services and web-based management for global 
deployment. The reduced complexity, simplified logistics, and highly 
flexible business processes make the DCN platform an ideal choice 
for enterprises, OEMs, and mobile operator partners. For more infor¬ 
mation, please visit the DCN website. 

WinMagic Simplifies BitLocker 

WinMagic introduced Microsoft BitLocker management for the com¬ 
pany’s popular SecureDoc data security software, which manages 
encrypted data at rest. Along with enhanced support for Trusted Com¬ 
puter Group (TCG) Enterprise drives, WinMagic is enabling custom¬ 
ers to secure data in ways that are compatible with the most advanced 
storage approaches and common OSs without experiencing any of the 
hassles typically associated with encryption management. BitLocker 
is a commonly used data security feature that encrypts data, and 
BitLocker users leveraging SecureDoc Enterprise Server (SES) man¬ 
agement can remove many common encryption headaches. Chief 
among them are the password-reset and user-provisioning challenges 
of encrypted laptops. Today’s businesses are increasingly working in 
hybrid security environments that include a combination of hardware 
and software encryption. With the addition of BitLocker management 
support in SecureDoc, customers no longer have to choose how and 
what to do for data encryption within their organization. For more 
information, go to the WinMagic website. 

Spiceworks Debuts Free Career Resources 

Spiceworks introduced a series of resources that IT pros can use to 
further their careers and that recruiters can use to find candidates with 
specific technology expertise. Spiceworks’ IT profiles with projects 




WINMAGIC 

DATA SECURITY 
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and job board, coupled with Spiceworks’ career group, will change the 
way IT pros showcase their expertise as well as the information avail¬ 
able to recruiters. During the beta program, Spiceworks users with 
early access to the company’s new profiles created nearly 4,000 IT 
projects and tagged more than 750 individual products and services. 
Spiceworks’ new profiles help IT pros share their expertise more effec¬ 
tively by helping them highlight the skills and technologies they use 
to do their job. Profiles go beyond the traditional resume by allowing 
users to share their expertise as they work on projects, the products 
and services they’ve used, and their community contributions. For 
more information, visit the Spiceworks website. 


Catbird Announces Version 6.0 of Its Cloud Security 
r ... . and Compliance Solution 

Catbird Networks announced Catbird 6.0 (formerly Catbird vSecurity), 
the latest version of its security automation solution. Catbird 6.0 
brings the automation and agility of the cloud to security automa¬ 
tion and compliance enforcement. This new version will extend sup¬ 
port for both VMware and Microsoft hypervisors while supporting 
VMware and Cisco offerings including VMware NSX and Cisco ACT 
New application programming interfaces (APIs) enable enterprises 
to automate and enforce security policy with auditing for continuous 
compliance. Key features of Catbird 6.0 include multi-hypervisor sup¬ 
port, expanded role-based administrative functions, enhanced con¬ 
tinuous monitoring, and a management API that lets enterprises and 
service providers integrate security policy and compliance enforce¬ 
ment into their existing provisioning and management processes. For 
more information, visit the Catbird Networks website. ■ 
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